All Practice Exams
100+ Free CCDL2 Practice Questions
Certified CyberDefender Level 2 (CCDL2, formerly CCD) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
In Elastic Security, a detection engineer wants to write a Sigma rule that converts to a KQL query. Which Sigma field represents the process image name (equivalent to process.name in Elastic ECS)?
A
B
C
D
to track
Same family resources
Explore More CyberDefenders Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: CCDL2 Exam
48 hours
Exam Duration
CyberDefenders
4 domains
Exam Domains
CyberDefenders
~£600
Exam Cost
CyberDefenders
1 retake
Free Retake Included
CyberDefenders
4 months
Course Access
CyberDefenders
25+
Hands-on Labs
CyberDefenders
The CCDL2 (formerly CCD) is CyberDefenders' flagship DFIR certification. The 48-hour practical exam requires investigating real-world incidents in a browser-based lab with a dedicated Elastic SIEM instance. Graders evaluate both correct answers and investigative methodology, with partial credit available. Course access (4 months, 25+ labs) and one free retake are included. The exam covers four domains: Threat Hunting, Disk Forensics, Memory Forensics, and Network Forensics.
Sample CCDL2 Practice Questions
Try these sample questions to test your CCDL2 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1In a SOC environment, a Tier 1 analyst receives an alert for a suspicious outbound connection on port 443 to an unknown IP. After verifying the IP is flagged as malicious in threat intelligence feeds, what is the MOST appropriate immediate next step?
A.Escalate to Tier 2/3 with full context, preserve evidence, and initiate the incident response process
B.Block the IP at the firewall and close the alert as resolved
C.Notify the end user and ask them to restart their machine
D.Wait 24 hours to gather more alerts before taking action
Explanation: Escalating to a higher-tier analyst while preserving evidence follows the incident response lifecycle. Tier 1 analysts should collect context (endpoint, user, timeline, traffic logs) and escalate rather than independently applying remediations that could destroy forensic evidence or cause alert fatigue if incorrectly handled.
2Which NIST SP 800-61 incident response phase focuses on stopping an attacker's foothold from spreading to additional systems?
A.Containment
B.Detection and Analysis
C.Eradication
D.Post-Incident Activity
Explanation: Containment is the phase where responders act to limit the scope and impact of an incident. It includes isolating affected systems, blocking malicious network traffic, and preventing lateral movement while preserving evidence for subsequent eradication and recovery actions.
3A threat hunter analyzing Elastic SIEM logs wants to identify processes that spawned cmd.exe from a browser process (e.g., chrome.exe). Which KQL query pattern correctly targets this parent-child relationship?
A.process.name: cmd.exe AND process.parent.name: chrome.exe
B.process.name: cmd.exe AND event.type: start
C.event.category: process AND process.executable: *cmd*
D.winlog.event_id: 4688 AND process.name: chrome.exe
Explanation: KQL (Kibana Query Language) in Elastic SIEM supports parent-child process field relationships. The field process.parent.name captures the spawning process, so combining process.name: cmd.exe AND process.parent.name: chrome.exe precisely identifies cmd.exe shells spawned by Chrome — a common living-off-the-land or drive-by compromise indicator.
4During memory forensics with Volatility 3, which plugin is used to list all active network connections and listening sockets on a Windows memory image?
A.windows.netscan
B.windows.pslist
C.windows.cmdline
D.windows.dlllist
Explanation: The windows.netscan plugin in Volatility 3 scans memory for TCPT_OBJECT and UdpA structures to enumerate both active TCP/UDP connections and listening sockets, including remote IPs, ports, and owning PIDs. This is essential for identifying C2 beaconing or data exfiltration channels present in memory.
5An investigator examining a Windows disk image finds the file path C:\Users\victim\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations. What forensic artifact type is stored here?
A.Windows Jump Lists (custom destinations)
B.Browser history cookies
C.Windows prefetch files
D.Registry hive transaction logs
Explanation: Jump Lists are stored in two locations: AutomaticDestinations and CustomDestinations under AppData\Roaming\Microsoft\Windows\Recent\. CustomDestinations are created by applications that explicitly pin items. Forensically, Jump Lists reveal recently and frequently accessed files and folders, even after the files themselves have been deleted.
6A malware sample communicates with its C2 over HTTPS but uses a self-signed certificate with an unusual Subject CN. Which network forensics technique is MOST effective for detecting this traffic pattern at scale?
A.Full packet capture and manual inspection of every TLS handshake
B.DNS sinkholing of known malicious domains
C.TLS certificate metadata analysis (JA3/JA3S fingerprinting)
D.Blocking all outbound port 443 traffic at the perimeter
Explanation: JA3/JA3S fingerprinting creates MD5 hashes of TLS ClientHello and ServerHello parameters (cipher suites, extensions, elliptic curves). These fingerprints are unique enough to identify specific malware C2 clients even over encrypted channels without decrypting traffic. Tools like Zeek generate JA3 hashes automatically, enabling scalable detection.
7When performing static malware analysis on a suspected PE binary, which command extracts printable ASCII strings of at least 8 characters to look for hardcoded C2 addresses, registry keys, or encoded payloads?
A.strings -n 8 malware.exe
B.file malware.exe
C.xxd malware.exe | head
D.md5sum malware.exe
Explanation: The `strings` command with `-n 8` (minimum length 8) filters out noise from short byte sequences and extracts meaningful ASCII text such as URLs, IP addresses, registry paths, function names, and error messages embedded in the binary. This is a foundational first step in static analysis before reversing with disassemblers.
8An incident responder identifies that an attacker used LLMNR/NBT-NS poisoning to capture NTLMv2 hashes. Which tool is commonly used to perform this network-based credential harvesting attack?
A.Responder
B.Mimikatz
C.BloodHound
D.Impacket secretsdump
Explanation: Responder is the canonical tool for LLMNR/NBT-NS poisoning. It responds to broadcast name resolution queries on the local network, tricking clients into authenticating to the attacker's machine and capturing NTLMv2 challenge-response hashes for offline cracking or relay attacks. Defenders should disable LLMNR and NBT-NS in group policy to mitigate this.
9In Elastic SIEM, a threat hunter wants to detect Kerberoasting activity. Which Windows Security Event ID, combined with a service ticket encryption type of RC4-HMAC (0x17), provides the strongest signal?
A.Event ID 4624
B.Event ID 4768
C.Event ID 4769
D.Event ID 4776
Explanation: Windows Event ID 4769 (Kerberos Service Ticket Request) is generated when a TGS (Ticket Granting Service) ticket is requested. When the encryption type field shows 0x17 (RC4-HMAC) for service accounts, this strongly indicates Kerberoasting — attackers request RC4-encrypted TGS tickets to crack offline. Modern environments should use AES (0x12/0x11) instead.
10During disk forensics on a Windows system, an examiner finds a file with a $DATA stream and a separate named stream, e.g., malware.exe:hidden_payload. What NTFS feature is being exploited?
A.Alternate Data Streams (ADS)
B.Volume Shadow Copies
C.Master File Table (MFT) slack space
D.Journaling ($LogFile)
Explanation: NTFS Alternate Data Streams (ADS) allow multiple data streams to be attached to a single file without changing its apparent size. Malware uses ADS to hide payloads, configuration data, or additional executables. Tools like `dir /r` or Sysinternals Streams.exe reveal ADS, which are invisible in Windows Explorer and to standard `dir` commands.
About the CCDL2 Practice Questions
Verified exam format metadata for Certified CyberDefender Level 2 (CCDL2, formerly CCD) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.