New Insights for the CASP+ CAS-004 Exam

By Bob Weiss

I just took the new CASP+ CAS-004 Exam on March 14. This exam is an unscored pass/fail exam. I passed. There were very many questions where the feeling was “when did we ever learn about this.” I’m an instructor for this course, and several others. So the moral of the story, let go of your negative feelings of uncertainty and failure. You ARE prepared, even if the subjects in the questions seem unfamiliar. Read the scenario, read the question, pick an answer. Go with your first answer. Don’t overthink it, and don’t second guess yourself. Never ever change an answer, the first impression is the good answer almost always.

This post is an accumulation over time, and I am adding new content as it happens. Also, check me out on Reddit. https://www.reddit.com/r/CompTIA/comments/te8i8y/i_just_passed_the_casp_cas004_exam/

[Bob says: As of July 13 2022 there is more information on the Linux Forensics Simulation and also the usual Question1 PBQ. Read all the way to the end, and check the comments for deeper insights. The newest bits are at the bottom.]

There was only one Performance-Based-Question (PBQ) and it was the first one on the exam. The one I had was a Business Continuity/Disaster Recovery scenario. There was a network map of two offices connected by a VPN, and a number of different hosts at each location. In the scenario, there was a disaster at Location A. There were three “findings” about certain situations that weren’t working correctly, and I had to match each finding to one or more devices. One of the findings also required I choose a mitigation from a drop-down list. I did not think this was overly hard, although I did reset the board 3 times before settling on my 4th answer set. Usually I wait to do the PBQs at the end, but this one seemed simple enough so I just completed PBQ1 and moved on.

Then there was a “Virtual Environment” question. These are different, I have not seen one like this. You HAVE to answer it in the order you get it, if you skip it you can’t go back. and you get no points. Once you have answered it, you can’t go back either. My Virtual question gave me a simulated Linux Ubuntu desktop. The scenario was that this system was maliciously breached, and had been repaired, but there is concern by the security tech that there is a malicious TCP process still running, and your job it to find it, identity it, disable it, and kill it. All in the constrains of the Ubuntu terminal window. You definitely need to know your Linux commands for this one. This is similar to the PBQ 1-3 listed below

To get good practice in Linux, I would recommend installing Kali Linux as a virtual machine, and learning how to work at the terminal window.

There was a lot of emphasis on Business Continuity/Disaster Recovery, Cloud, Authentication, and Software Security.

If you have taken this exam recently and wish to contribute some of your experiences, I would add them to this article.

Here are some tips on the Performance Based Questions (PBQ) from the CAS-003. They may be out of date, but in my experience these PBQ questions hang around for a while. These come from Quizlet. https://quizlet.com/it/513316332/casp-cas-003-performance-based-questions-flash-cards/ These are offered as examples, not verbatim copies of actual exam questions.

PBQ 1 Part 1 As a security administrator, you are asked to harden a server running Red Hat Enterprise Server 5.5 64-bit. This server is being used as a DNS and time server. It is not used as a database, web server, or print server. There are no wireless connections to the server and it does not need to print. You need to disable and turn off unrelated services and processes. What command would you use to check the configuration

chkconfig –list

PBQ 1Part 2 As a security administrator, you are asked to harden a server running Red Hat Enterprise Server 5.5 64-bit. This server is being used as a DNS and time server. It is not used as a database, web server, or print server. There are no wireless connections to the server and it does not need to print. You need to disable and turn off unrelated services and processes. What services would you need to disable to accomplish this

httpd
mysqld
lpd
bluetooth
wpa supplicant

PBQ 1 Part 3 As a security administrator, you are asked to harden a server running Red Hat Enterprise Server 5.5 64-bit. This server is being used as a DNS and time server. It is not used as a database, web server, or print server. There are no wireless connections to the server and it does not need to print. You need to disable and turn off unrelated services and processes. After you have stopped the service using the service “service” stop command, what needs to be done?

You need to kill the process. first type ps -A, this list all the processing running, find the service you want to kill and do so by command kill -9 262 (example) the 262 is the id number associated with the service

PBQ 2 Part 1 An administrator wants to install a patch to an application. Given the scenario, download, verify and install the patch in the most secure manner. What is your first step

Out of the six downloads, some may be http and others https. Use only the Https

PBQ 2 Part 2 An administrator wants to install a patch to an application. Given the scenario, download, verify and install the patch in the most secure manner. When downloading the patch, move on if you get these errors

the file does not download in a reasonable amount of time or you get a certificate warning

PBQ 2 Part 3 An administrator wants to install a patch to an application. Given the scenario, download, verify and install the patch in the most secure manner. If a file downloads uneventfully, how would you check the hash of that file to the control hash given?

type md5sum install.exe and hit enter to compare that hash to the control hash given. md5sum should a directory in the directory your in (C:\Downloads directory). install.exe is the file you downloaded from the patch site and should also be in the same directory as md5sum directory

PBQ 2 Part 4 An administrator wants to install a patch to an application. Given the scenario, download, verify and install the patch in the most secure manner. If you find the file that matches the control hash given on the download center site, how would you install that patch?

make sure that correct file is in the downloads directory and you are in the downloads directory and just type install.exe

A new PBQ submitted on March 31, 2023

I was given two snippets of code (both were python if I remember right) and had to identify the vulnerability in each, as well as how to remediate it. Being able to identify and remediate injection attacks, insecure object references, and other issues in the OWASP top 10 should be enough.

And some more on this “code security” PBQ.

…the old code snippet sim from CAS003 that you can find here https://www.examtopics.com/discussions/comptia/view/62960-exam-cas-003-topic-1-question-480-discussion/

Kerberos

When users are attached to the corporate network, single sign-on will be utilized

SAML

Authentication to cloud-based corporate portals will feature single sign on

OTP

Any infrastructure portal will require time-based authentication

oAuth

Customers will have delegated access to multiple digital services

Check out this chat of mine on Reddit – https://www.reddit.com/r/CompTIA/comments/te8i8y/i_just_passed_the_casp_cas004_exam/

Added on 2022-06-28 – Searching YouTube using CAS-004 Forensic Linux Sim I did find a two hour video tutorial on Linux Forensics at https://www.youtube.com/watch?v=HTEj8UY2TA8. I am watching it now. Some of this content may be useful in understanding the process that is being tested in the Sim.

Question from a test taker about the Simulated Virtual Environment question

I have to be careful here, I can provide guidance but not explicit information. Conversation follows.

M – We were just talking on Reddit. I remember the exercise almost verbatim but I don’t want to make you feel uncomfortable with non-disclosure etc. But if you have any insight or tools to help me learn command line quickly or what to look for I think I can pass the rest. I’m fairly certain the exercise is what held me back. Let me know and I can send it to you. Also looking forward to reading your blog tomorrow.

Bob – Ok so you have some work ahead of you but not a lot. You need a few Linux command line tools

First step is to get a copy of Linux on a computer. Easiest way is to set up a virtual machine. I have a VM of Kali Linux I use for all sorts of security work. But Ubuntu would be the distro on the test. Ever set up a VM?

I use Virtual Box. It is free. Got to virtualbox.org. Download and install. After that install the Extension Pack

Then go to Kali.org or ubuntu.com. I know Kali better. But they are both Debian Linux distros. In Kali, choose the Virtual Machine option, and then download the VirtualBox option. Save it where you can find it, then open Virtual Box and go to File, Import Appliance, and then find your download and you are done.

Let me know if you get it working. Or let me know if you already have done this.

M- Thank you for sending, tried to download Kali but I don’t have enough space on my computer its just a basic acer. trying to find a better option

Bob- Ah too bad. You could make a bootable USB drive to get around that problem, look lower on the Kali downloads page. Unfortunately you can’t flip back and forth between the windows host OS and the Kali virtual OS. You boot into the drive and its all Kali all the time.

I’ll send you a list of commands to learn, just need some time to pull them together.

Here are some Linux Command to learn Linux Commands

At the beginning of the question the test offers suggestions about what Linux commands may be useful in this question. Take the hint. Write the commands on your note card. You will be using them.

If you need help try the man command. For instance, man netstat shows available commands in netstat.. Press q to quit or exit. Generally speaking Windows help or Linux man information is available in the testing environment. Not sure? Get help!

One command you might need for this question is netstat This will show a running list of TCP connections. I opened my website at http://wyzguyscybersecurity.com. It shows up on the first line in the image below.

You can see all the other TCP connections. You will have to scroll back to the top of this report, as it goes on for several pages.

Another command you may need is ps. This will show you the process IDs for all running processes. Try to find the rogue process in question. Here is the man page.

Here’s the man page for the service command

Let’s try the command service –status-all. You should see a list of running services. If we were trying to stop a rouge service named rogue type service rogue stop

The kill command will kill the rogue service. Do so by command kill -9 262 (example) where 262 is the id number associated with the service. Of course you will use the process ID you identified earlier.

This question will take a lot of time in the middle of the exam, but it is a must do with no backs. So practice makes perfect here. Find your way by practicing on the Kali Linux VM you created earlier.

2022-07-12

One of the test takers I am talking with has failed the CAS-004 a total of four times now. He is thinking that it Sim is causing him to fail, but I think he has the Sim process pretty well figured out, and I suggested that he might be only a few points from passing, and that his missing point may lie elsewhere in the test. No guarantees on this solution, this is just what he is doing. The email string between us follows below:

TESTER: FYI, I have had the same sim question every time, all 4.

The Linux question has two parts, first you have a rogue tcp process and second you need to find a keep a malicious service (called malicious.service) from restarting.

The steps I took were as follows:

netstat -nalp to find the tcp process, there was only one established process like port 50200 to 1337,
lsof -i :50200, found the pid which was something like 2430
kill -9 2430
used systemctl to find the malicious.service
systemctl stop malicious.service
systemctl disable malicious.service
I did find the malicious.service in /etc/systemd/system and deleted it with elevated privileges
I rebooted twice and the tcp process or the malicious service never came back.

I figured that I answered the questions correctly and the service never came back.

In talking with a guy that I work with that knows linux much better than I do, he said that maybe the question is not written great and you need to do more.

He suggested before I kill the tcp process that I find out the location of the exe. Possibly in usr/bin or somewhere else and then kill the process and remove the exe before I stop and disable the malicious.service? He said that deleting the malicious.service that I found in the etc/systemd/system probably isn’t what was necessary to pass the test?

My response:

That process looks pretty solid to me. I like your colleague’s suggestion, so I would try that next time.

From the feedback I have been getting, it seems there is a malicious file to find and remove. Presumably named whatever the process was named. I think there is a list command (ls) that search iteratively through the nested file structure that uses the ../../../ filename structure. Type the ls .. command to list the contents of the parent directory one level above. Use ls ../.. for contents two levels above: See the article on the ls command at https://www.freecodecamp.org/news/the-linux-ls-command-how-to-list-files-in-a-directory-with-options

I believe that the sim is not all or nothing type scoring, that you get partial credit for getting most of the process right. I could be wrong, but I believe that is the case with the standard PBQs, too.

There is a possibility you are missing points in the multiple choice questions. Since this is Pass/Fail, you may be very close to a pass, and just need one or two more answers. Pay close attention to questions that have more than one correct answer, make sure you choose the answer that is “BEST” in relation to the scenario and the question. For example, there is a scenario, a question, and three of the four answers are correct from a certain perspective. Make sure the answer you choose is the most specific for the question. If there is a n answer that is generally correct, and an answer that is specifically correct, choose wisely. Often the most specific solution is the best one.

Are you taking this test as a home proctored exam? I have heard horror stories galore about overzealous proctors invalidating your test results. If this applies to you, go to a testing center next time

2022-07-13

CAS-004 PBQ Solution

A contributor provided this solution for the PBQ that is usually Question 1 on the exam. This is NOT the dreaded Linux Simulation, just the standard PBQ. Never the less, from a scoring stand point this is important. If you are failing, you may be missing THIS question, and doing fine on the Sim. You can skip and return to finish it later but now you may not need to. These images are from a practice exam source, not my own. Again, I am just curating information that can be found on the web or on commercial test prep resources.

Click on the images to make them bigger.

The Question

The Answer

The contributor dug a little deeper on the web and found another answer for the drag and drop. The directory server is #1, the SCADA master controller is #2 and the VPN concentrator is #3.

Bob says – I removed the Answer image since the information on the illustration was incorrect. The answers given were #1 VPN Concentrator (wrong), #2 Pumps (wrong), #3 Directory Server (wrong). If you are using this practice test, please do not rely on the answers shown. The practice test is from Exam-Labs

Another contributor adds: For the PBQ, with the wrong selections from before, there was another step. After dragging the 3 selections, you also had to click on Directory Server, and choose from a drop down list of 8-9 choices of WHAT you were doing with that directory server.

Be Sociable, Share!

16
MAR

123

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

First Last April 12, 2022

Very helpful post! I’m planning to take the CASP+ exam here soon (mostly because I do not have the experience requirements for the CISSP). My company pays for my training, and voucher so I was looking to buy the high end CompTIA training bundle for this with all the labs which I think will help a lot. Any suggestions on study materials besides the CISSP Boson materials you mentioned on reddit?
reply
bobwyzguy April 12, 2022

Hello First Last!

First, good luck with your studies and pending exam.

I would recommend taking the CISSP after passing the CASP while it is still fresh in your mind. You can be an Associate of the (ISC)2 and upgrade to full certification status when you get the 5 years squared away.

There are many resources you could use. This article is really focusing on the CISSP, but much of the material is good study material for the CASP, CySA, Security+. even the Pentest+ or CEH Check this out https://wyzguyscybersecurity.com/comments-on-the-cissp-computer-adaptive-exam/

You can contact me at bob@wyzguys.com. I am available for tutoring this exam if you are interested.
reply
Manny Lima April 20, 2022

Wish I saw this before taking the exam. I had no idea this question was coming and had to skip it and I failed the exam. I had all the multiple-choice questions memorized but yet I still somehow failed. Are these lab questions worth a lot of points/
reply
Manny Lima April 20, 2022

This was in regard to the Linux TCP virtual environment
reply
bobwyzguy April 20, 2022

Yes the Performance Based Questions and especially (I think) the Simulated Question carries a lot of weight on the exam. I think failing or not responding to the Sim Q pretty much guarantees a fail.

On thing that most test takers don’t know is that HELP is available. If your PBQ or SimQ has a command window or terminal window, you can invoke help (such as ipconfig /?) and the help files will open, but JUST THE COMMANDS YOU NEED FOR THE TEST QUESTION. So if you are at the C prompt, just typing help or the ? will show you the commands that are necessary for the question. Not all the help, just what is covered on the question. This is a huge clue.

If you are in Linux, the man (Manual) pages are available. Again, just the ones you need for the exam. question.
reply
Manny Lima April 20, 2022

This was my results: Which sections do you think were the virtual exam? My guess Section 1-3?

You incorrectly answered one or more questions in the following objective areas:
1.1 Given a scenario, analyze the security requirements and objectives to ensure an appropriate, secure network architecture for a new or existing network.
1.2 Given a scenario, analyze the organizational requirements to determine the proper infrastructure security design.
1.3 Given a scenario, integrate software applications securely into an enterprise architecture.
1.4 Given a scenario, implement data security techniques for securing enterprise architecture.
1.5 Given a scenario, analyze the security requirements and objectives to provide the appropriate authentication and authorization controls.
1.6 Given a set of requirements, implement secure cloud and virtualization solutions.
1.7 Explain how cryptography and public key infrastructure (PKI) support security objectives and requirements.
2.1 Given a scenario, perform threat management activities.
2.2 Given a scenario, analyze indicators of compromise and formulate an appropriate response.
2.4 Given a scenario, use the appropriate vulnerability assessment and penetration testing methods and tools.
2.5 Given a scenario, analyze vulnerabilities and recommend risk mitigations.
2.6 Given a scenario, use processes to reduce risk.
2.9 Given a scenario, use forensic analysis tools.
3.1 Given a scenario, apply secure configurations to enterprise mobility.
3.2 Given a scenario, configure and implement endpoint security controls.
3.3 Explain security considerations impacting specific sectors and operational technologies.
3.4 Explain how cloud technology adoption impacts organizational security.
3.5 Given a business requirement, implement the appropriate PKI solution.
3.6 Given a business requirement, implement the appropriate cryptographic protocols and algorithms.
3.7 Given a scenario, troubleshoot issues with cryptographic implementations.
4.1 Given a set of requirements, apply the appropriate risk strategies.
4.2 Explain the importance of managing and mitigating vendor risk.
4.3 Explain compliance frameworks and legal considerations, and their organizational impact.
4.4 Explain the importance of business continuity and disaster recovery concepts
reply
bobwyzguy April 21, 2022

Yes you could be on the right track. I checked Reddit for more comments about CAS-004 but were not finding much.
reply
ROG141 April 22, 2022

Today i taked the CAS-004 for the error i skip the “Simulated Virtual Environment” i cant return to SIM, for that i failed the exam, the test have 81 question, Sad but true 🙁
reply
- bobwyzguy May 23, 2022
  
  CompTIA does explain that there is no going back on the Sim. Do your best, don’t skip it.
  reply
Sam May 27, 2022

I just failed casp+ and that simulation was a bummer. I spent 10+ minutes on it and hit next thinking I could go back but forgot that I couldn’t.

I tried to find the malicious connection but idk what to look for? Was it supposed to be obvious like hackerDomain and is the process supposed to be obvious too?

I had the disaster recovery but I totally did not understand what it’s wanting me to do. I am so bummed out!

The multiple questions were sooo hard. All the studying I did seemed very useless.
reply
bobwyzguy May 28, 2022

The malicious process could be consuming large amounts of system resources especially processor and RAM (memory) PS should reveal that.

Yes a process name that seems wrong, or a process that has a similar name to a correct process would be suspicious.

You have to stop the process in PS and then kill it

Most people do not know Linux well, so more time on a Linux system would help
reply
First June 20, 2022

Finally took the CASP+, couldn’t find the rogue process with ps but was able to disable the service. Nothing was glaringly obvious to me. Going to study Jason Dion’s materials and try again I suppose as maybe I can get partial credit for the SIM and attempt to get perfect on the multiple choice.
reply
John June 24, 2022

I took the CASP+ 004 and I struggled most with the virtual environment. I cloud not find any malicious processes and I used all commands such as ps, ss, netstat, and top, and I could not use commands like systemctl, service, and kill. Some of the questions were a bit iffy but I believe I was dragged by the virtual environment. I think the question is very misleading.
reply
no cow June 27, 2022

I am taking CASP this week and I am familiar with Ubuntu. I am curious if they strictly test on Linux? I know some commands are different such as the chkconfig on ubuntu is update-rc.d. Thanks for the info!
reply
bobwyzguy June 27, 2022

The Sim is all Linux. The Other PBQs could be on several things.
reply
Tom June 28, 2022

Yesterday was fail 3 for me. I know that I answered at least 76 of the multiple choice questions correct and thought I maybe passed the virtual linux question but I guess I didn’t. This has been the same for the other 2 tests…..strong on the multiple choice not on the virtual linux. I don’t know how they can put so much emphasis on one question when none of the training covered it?
reply
bobwyzguy June 28, 2022

First, I admire your persistence. It seems like the Simulation on Linux is tripping up many test takers. I am convince that you need a Linux installation like a Virtual Machine to learn the use of some of the commands that are necessary for this question.. If you believe the question is too difficult or unfair, you should probably open a case with CompTIA about it, but I wouldn’t expect much. If enough testers complain, maybe the Sim will be replaced with something a little easier to pass.
reply
Tom June 28, 2022

I installed Virtualbox and have an Ubuntu VM running. I have been practicing using netstat to show a process that doesn’t look correct, finding the pid and killing it. I am lacking at finding a malicious service and knowing what to do to prevent it from running again. I have been trying to figure out what looks right or wrong in crontab and several other things but I can’t seem to put everything together. Can you name a resource free or not that would help me? Thanks Bob.
reply
bobwyzguy June 28, 2022

As to how to find the malicious file, I would expect the file name to be the process name. It may take some looking to find where it is lodged in the system files, but there is an iterative search parameter of the ls command that uses ./././. that will parse the entire file tree. Another ls command will show the file path

I went looking for other practice resources and especially YouTube videos in the CAS-004 Linux Sim. It seems that some sources are calling this a Forensics SIM, which it is. Another term to add to your search.

I found something interesting at https://www.certification-questions.com/comptia-exam/cas-004-dumps.html that some of their content was taken down over DMCA conflicts. Sounds like CompTIA wasn’t happy that someone was revealing the solution to the sim (perhaps).

My exploration of YouTube today revealed nothing specific to the Sim, just a lot of trainers and training companies selling their certification wares.

Searching YouTube using CAS-004 Forensic Linux Sim I did find a two hour video tutorial on Linux Forensics at https://www.youtube.com/watch?v=HTEj8UY2TA8. I am watching it now. Some of this content may be useful in understanding the process that is being tested in the Sim. This is a lecture from what I assume to be a college class. He uses a lot of third party tools that aren’t part of the exam, so I am not sure how helpful this will be

We need to hear from people who passed and are willing to share some insights. I am not looking for the answer, which would be a violation of the CompTIA NDA, just some help with the questions other test takers are asking
reply
First Last July 8, 2022

The problem with the SIM is that the process is nothing glaringly obvious unless you are very familiar with what is normally running on Linux. I created a Kali Linux VM and a Ubuntu VM and I’ve stared at these processes trying to familiarize myself with them for awhile now. Hoping to take the test again this weekend or next and will report back if I pass. The first time I took it I could find the persistent service but could not associate a PID with it unfortunately. Honestly there is too much time on this test. I was done with an hour left and that was after reviewing everything once through. I highly suggest anyone taking this test to spend 30 minutes or more on the SIM.
reply
VeryFrustrated July 14, 2022

I failed my first attempt at the end of June. I tested again yesterday.
I received many of the same questions from the first attempt, and some new ones as well.
My first question was the drag and drop site a and b question.
My 23rd question was the linux sim, and I believe it was going to be exactly the same as before BUT, after making some notes on my whiteboard, I clicked NEXT. That SKIPPED the question.
I immediately reached out to the test center staff, and they had no clue. they told me to click back.
This killed all enthusiasm for the remainder of the test as I knew I just threw $490 away.
I asked to protest the test, and the worker said he would do that… “Oh, But not right now dude, I will do that later”
I have 0 confidence this will happen as he does not even understand what my issue was.
I also called the number from the bottom of the test, but this guy in India was convinced the name of the test I took was COMPTIA. Then he said I reached the wrong number.

I don’t know that it is worth trying to gt a retake because of the unintentional sim skip issue because the printing out said I missed 1 or more questions, in 24 domains. I don’t think I really missed 24 or more questions, but they don’t give you a score so I have no idea.

I really think is is insane that they have you accustomed to clicking NEXT to proceed, and prompt you for if you really want to proceed, really are done reviewing flagged questions, really want to end the test… But no prompt for “You really want to skip this sim question??” Very unfair.
reply
bobwyzguy July 14, 2022

Man, I am so sorry to hear that. Let me know if you can get them to give you a retake.

CompTIA seems to have made CASP+ a proving ground for new test technology like the Simulated Environment. I have collected over 20 comments on this article, as well as another collection of complaints on my original Reddit posting.

I got new intel on both the Linux Sim and the first PBQ question (usually question 1) at the bottom of this article.
reply
VeryFrustrated July 14, 2022

For the PBQ, with the wrong selections from before, there was another step. After dragging the 3 selections, you also had to click on Directory Server, and choose from a drop down list of 8-9 choices of WHAT you were doing with that directory server.
reply
First Last July 15, 2022

I believe the drop down had to do with BGP from when I took the test? Hoping to take it again this weekend and hopefully not fail!
reply
Welp July 15, 2022

Because of NDA I’m going to be vague so don’t bring the pitchforks. I just recently passed the CAS-004 and what I will say is don’t over complicate the linux sim if you get it. It mentions that there is a malicious process or service on the system. Start with that information. What would command would you use to show running processes or services? It should snowball from there. Comptia is not trying to be tricky or hide anything so don’t go into it thinking it’s going to be overly complex.

If you were confident that you performed the correct actions in the sim then it may be the theory that you just need to focus on.
reply
KLAS July 28, 2022

Thank you for your help here Bobwyzguy. I studied up for the Linux problem and believe I did well on it. I killed two pids and the stopped and then disabled the service. I think that was right. I noticed the second pid and don’t know if I needed to kill it or not but I did. I see a lot of people talking about the MC questions in this thread, please urge everyone here to fully vet ALL practice problems they are using to study. Review every choice on every example problem, it stinks but many of the answers to practice problems on the internet are wrong…..especially if you are finding them from random sources. Thank you for this page as it got me to download Kali and install it on VBox. I, then, installed lighttpd and practiced killing it, starting it, stopping it, disabling it, re-enabling it, and just got to know a lot of commands in Linux that I don’t normally use. It also helped me vet some practice problems that had wrong answers. Thank you again.
reply
bobwyzguy July 28, 2022

Thanks for your contribution KLAS.
reply
Brian July 28, 2022

Thanks for the information! I passed my CASP exam back in 2016, did the CEUs in 2019, but unfortunately forgot to do it again this year. I have been studying to take it next week, as this cert is needed for my job.
reply
Brian August 3, 2022

I passed the CASP + Exam (CAS-004) yesterday. The info here was VERY helpful. I had a total of 81 questions.

I had the “Click and Drag” VPN question with the 2 sites. I filled it out exactly how it was stated here. I did, however, have to do another step. On the VPN concentrator (which had answer #3 assigned), I had to pick from a drop down listing; which answer would resolve the flapping issue.

I had the dreaded Linux simulation question as well. Unfortunately, I wasn’t able to find the process ID (PID) attached to the malicious service. Using netstat or netstat -nalp shows the established connection of the malicious service, but the PID info on all connections are blank. I did and delete the malicious file itself, which ended the connection within netstat.

Hope this helps.
reply
bobwyzguy August 3, 2022

Thanks Brian for sharing your experience and contributing to the Comments.
reply
VeryFrustrated August 4, 2022

I took the CAS-004 for the 3rd time today.
I PASSED!!!

First time: Missed 20 questions (From what I can tell from the results sheet), Bombed the Linux sim and 2 PBQ questions.
Second Time: Missed 22, accidently skipped the Linux sim, and bombed the 2 PBQ questions.
3rd time: Says I missed 16. I believe I NAILED the Linux sim and the drag n drop. I did not get the 3rd one where you secure the servers.
So there you have it, passing IS possible. 🙂
reply
bobwyzguy August 5, 2022

Congratulations Very Frustrated. The solution is informed preparation, and lots of Linux practice (for the Sim)
reply
First Last August 7, 2022

Finally passed this monster of a test and only missed one or more questions from 12 domains. Thank you so much for your help with this blog entry. I’ll definitely have to get some tutoring from you for the CISSP when I get around to that! So thankful to be done with CompTIA and their question trickery.
reply
bobwyzguy August 8, 2022

Congrats! Its been a long process, but you did it. Drop me a line when you start your CISSP. Don’t wait too long as the CASP+ is great prep for the CISSP. Two exams very much the same content. Personally, I think the CISSP may be easier to pass than the CASP+ No PBQs or SIMS

The CISSP is a MANAGER’S exam, and the hardest thing for a technician to learn is how to THINK LIKE A MANAGER and pick the answer a manager would pick
reply
Ahmad August 9, 2022

I am about to take CAS-004 exam and really happy that I have found this page. Thank you for your contribution.

Regarding the Linux Sim, what I understood upon going through the Linux commands is that the following should be done:

1- Find the malicious process (using PS command)
2- Determine the PID (using PS and/or netstat)
3- Stop the service (using service command)
4- Kill the service (using kill -9 )
5- Delete the malicious file which is starting the process (using rm command)

Is this the correct logic or am I missing something? Kindly advise.

Thank you!
reply
bobwyzguy August 9, 2022

That looks good, based on the input I have received from other test takers.
reply
Glizzy August 17, 2022

I just took my CASP exam yesterday and passed on the first try. This blog has been super helpful in assisting with understanding the concepts and what the test is asking for. I got the Linux Sim and it’s alot more simple than what some people are making it, don’t overthink it. Study the terms and you should be good. As I was going through the test, it felt like I didn’t know every single answer but just take the time to read it thoroughly and pick your best choice and you should be good, don’t let the test frustrate or consume you!

Thank you again Bob for this page and how you assist people in trying to help them pass this test! Very helpful and much appreciated.
reply
bobwyzguy August 17, 2022

Congrats Glizzy. Together we all have contributed to this tutorial. So thanks to all who provided tips and guidance.
reply
CASP Hopeful August 22, 2022

I’m going to be taking CASP in the next couple days after failing it last week due to the Linux SIM not loading. It was a blessing bc I was not prepared for the Linux sim but after finding this blog I believe I will be ready for it now. I do have a question about the PBQ though. I had the drag and drop as described in the blog post but I am unsure if I should be dragging #3 on both vpn concentrators, just the one on site A or just the one on site B. Originally I put it on just site A and the extra step I chose the BGP option but now I am second guessing myself on which VPN concentrator they are looking for or both. Any insight into this would be very much appreciated!
reply
bobwyzguy August 22, 2022

CASP Hopeful – Answering your question would be a detailed enough answer to potentially violate the NDA. Make sure you have looked at the last section of the original article that deals with the PBQ. This was originally submitted with two images, and the second one, THE ANSWER, was wrong. If you are working from that two image set, forgt what you are shown on the second image and read the article comments.

You can enlarge any of the images in the article but clicking on them to open them up full size.

Let me know if this is enough for you.
reply
CASP Hopeful August 22, 2022

bobwyzguy.. thank you for the feedback! I will take it and see how I do. Retesting in the morning and hoping my SIM populates correctly and this time it is enough to get that PASS. I will update tomorrow with the news.
reply
bobwyzguy August 22, 2022

Good luck CASP Hopeful
reply
CASP Hopeful August 23, 2022

I promised an update so here it is:

I passed! The first time I skipped the Linux SIM by accident, failed, and my score report said I missed one or more questions in 21 different areas. This time I did the simulation but I was only able to find the malicious service and stop it, I wasn’t able to find the process to kill or any kind of .exe so I know I didn’t get full credit bc there is definitely more than 1 task to perform.

The PBQ was fairly easy but make sure you read the fine print under the choices bc one of them will be different and the photo on the main blog post does not show that. I think this matters as it had me change one of my answers. Can only assume that I got it right this time as opposed to the first time since I passed.

This time my report said I missed one or more questions in 20 different areas, so I believe the little bit of the Linux SIM that I was able to do and the changing of my PBQ answer pushed me over the edge into passing.
reply
bobwyzguy August 23, 2022

CASP Hopeful – Good work!! Congratulations
reply
Perplexed September 5, 2022

I’ve taken the exam twice and I am not sure where I am falling short but suspect it is the Linux sim.

inthe Linux sim I cannot find the PID using lsof, top or ps. I did sudo systemctl stop and systemctl disable the “suspicious name”. I was able to find two files in separate directories using systemctl | grep “suspicious name” and sudo rm them. I rebooted and after rechecking netstat the service did not restart. I checked the file locations and the file did not return. I rebooted again to make sure, rechecked the service and locations and nothing came back. I figured that was all I could do and moved on.

Any suggestions or guidance would be well received.
reply
Alexandro Mullings September 7, 2022

Hi Bob,

I took the CAS004 on September 5th and today. I failed again…. I stumbled on this bloq after digging around to see if anyone has gotten this same issue. I feel cheated. I took the exam and ALL of the multiple choice questions were STUPID easy. If I got 4 wrong that was PLENTY. I did the SIM and stopped the process and removed the file buried in the directory. The first time I took the exam it took about 24 hours for me to see my results, today, I click on Finish and the results are there. I got according to the printout 23 sections wrong, REALLY? ^.^
I compared it to the printout of 25 so basically I spent 2 days studying and going over the content like a madman to ONLY get 2 questions right the second try. I find this ludicrous. I WILL never be taking another CompTIA exam again and will advise everyone that I come across to do the same. I’ve done CompTIA exams in the past and other certifications but none have I felt cheated like this one. I mean: just about every single question I was confident in my answer. There is NO way that my responses were wrong, the VM simulation or system grading that they use must have some sort of glitch OR the SIM is a pass/fail sort of deal. Addtionally, there is more than one way to tackle the SIM because I restarted and the process did not appear. However, if there is a parameter checking for a condition and that condition is not met based on what CompTIA deems as correct then this is truly an unfair exam. I wrote to them but I am not expecting much. Sad, to say; I will not be taking another CompTIA cert for the rest of my life.
reply
bobwyzguy September 8, 2022

Alexandro – once you calm down, give it another try. Many people are struggling with this exam. You can open an appeal with CompTIA if you think the results were unfair,

I think the CAS-004 is harder at this point than the CISSP. It is a managerial exam (like the CISSP) and is looking for answers a manager would choose over what a technician would choose.

The test report is not saying you got 23 questions wrong, but is just showing you the objectives you need to work some more on.

There are LOTS of tips about the Linux SIM. There are more than two steps, more like 5, and you need too use more of the commands at the terminal. Also check the PBQs. Many are missing the PBQ answers and thinking it was the SIM.
reply
KLAS September 9, 2022

Alexandro, I do not know the methods of which you studied but if you used any practice questions on the internet, I will guarantee you that the answers were wrong on at least 50% of them. If you read a book or two and watched video after video, then I agree, you may have been robbed. I had 15 listed topics on my score report and passed. I used a CASP+ book from Amazon and practice questions from the internet, most of the answers on the questions were incorrect though. You have to completely vet every question you use to study with from the internet, it stinks and adds weeks to your studying but it has to be done. Just my 2 cents but who uses change anymore.
reply
bobwyzguy September 10, 2022

Thanks KLAS

Even the well-known brand name commercial practice exams have errors. I got a new release of Boson for A+ 220-1102 and found a question where the shown correct answer was WRONG, but the explanation chose the correct answer, not the highlighted answer. People are not perfect, and neither are practice questions.
reply
GremlinMaster September 13, 2022

Hello all,
So, I just took the CASP and passed it on my first attempt. I’ll go through my experience first then the study materials I used. It was about what you expect from CompTIA. I only got one PBQ, it was very close to the one in the blog notes above 😉 as for the simulation I was messing around with it for 45 mins. The process kept returning after killing it/rebooting and some commands didn’t work like lsof, I’m not sure if I was using them correctly. To make matters worse the sim black screened on me almost like the connection was terminated. That only left me with about 1hr 30mins to answer the remaining questions (I had 81 total). With only 15 mins left I went back and reviewed 22 questions I flagged. I only changed a couple answers. Like Bob says go with your first choice. When I got my report, I had 19 areas that needed to be worked on. So, with the sim dying on me I was still able to pass. Now for the materials, I used Mark Birch’s book, Jason Dion’s web training/practice test and pocket prep. I was baffled that there are allot of questions on the test that mimic Marks end of book practice exams. Since I wasn’t really in the cyber security field, I took about 3 months to study with the last month studying almost 8+ hours a day and the last week I did practice test after practice test. I feel like you need to diversify your material instead of having one resource. I stumbled across this blog a week ago and I can tell you It was one of the key reasons I passed. I had no Idea about a sim question and this blog outlined perfectly what is needed to succeed. I know what it’s like taking CompTIA certs more than once, keep putting in the work. You got this peeps.

Here is a link to a reddit user that used Marks book: https://www.reddit.com/r/CompTIA/comments/wu3qyj/passed_casp_a_couple_days_ago/
reply
bobwyzguy September 13, 2022

Thanks Gremlin Master – great rendition of your exam experience, thanks for sharing. Congratulations on your certification too
reply
John September 15, 2022

I passed the casp+ on my second try this website helped a lot when re studying. The virtual environment was better the second time because of practice in my own virtual machine.
reply
James Beanbag September 19, 2022

The CASP+ exam is the bomb.
I was shocked at my 1st attempt at the type of questions I met on the exam day. Most of the practise questions I had used were CAS-003. However, i do not really like using dumps so i was just going with the mindset of understanding the objectives of the exam very clearly; to my surprise, it is much more than what is in the objective. Your practical experience in the past will be put to test. So it is thorough one at that.

Now on my experience during the 2nd attempt:
I also got the PBQ for the DR scenario. In my own case, they asked me to choose the exact service I am choosing to improve connectivity in site B. In your case, it might be the directory service. So know what you are doing. [Answers are SCADA Pumps, Directory service & VPN concentrator in no particular order]
For the SIM/Ubuntu lab question: i think that question alone carries 2 questions out of the 81…and I am sure the marks are different. I got to know this during review before submitting. questions 22,23 were omitted for me.
To solve it, follow the steps below:
1. netstat -nalp [to identify the TCP process, there was only one established process like port 50200 to 1337]
2. lsof -i :50200 [I put sudo before mine; I noticed without sudo, it didnt work]
3. kill -9 PID from 2 above OR systemctl stop malicious.service and then systemctl disable malicious.service. (stop before disabling)
NB: The service would still be in the system but waiting to start again on reboot bcos it is written to execute during startup.
4. cd to /etc/systemd/system path
5. since you dont know what the service exactly looks like, scroll gently until you see some strange process name (in my case, it was malicious.service). They may have changed it during your attempt.
6. I CAT the content of the file (malicious.service)…u can hash out the line that makes it execute on restart or just rm the bastard file. but i think hashing out the line would give max point cos the 2nd question as seen below says

1. End the compromised process that is using a malicious TCP service.
2. Remove the malicious persistence agent by disabling the service’s ability to start on boot.

7. I did find the malicious.service in /etc/systemd/system and deleted it with elevated privileges (sudo su)
8. I rebooted and the TCP process or the malicious service never came back. I checked and never found it.

For the rest of the question, your experience counts and u also need it to study the dumps cos there are lot of wronggggggggggg answers.

Goodluck!
reply
bobwyzguy September 19, 2022

James – thanks for your detailed contribution. It seems like the Linux Sim may have several solutions, based on the comments of earlier contributors. All I can say is KNOW YOUR LINUX. You cannot bluff your way through this question
reply
Kim September 19, 2022

Thank you so much for this website. It was a huge help in passing the CASP today. Definitely know your Linux commands. I used the CompTia CASP+ CAS-004 Certification Guide by Mark Birch. The mock exams in this book were a huge help.
reply
bobwyzguy September 20, 2022

Thanks Kim. When I posted this article I had no idea how many CASP students would find it helpful. As I complete other certification exams, I have been starting new articles like this one for those exams. You sjould be able to find them using the search tool on my web site. I am also active on Reddit/r/CompTIA and Reddit/r/CISSP and Reddit/r/CEH
reply
Sean October 14, 2022

Searching through the internet, I’ve found the notorious Linux sim on Examtopics website. I didn’t want to post the link due to NDA but you can go to the site and search for your self. It’s question number 146.
I’m scheduled for testing tomorrow night. I’ll let you know how it goes.
reply
bobwyzguy October 16, 2022

Thanks Sean. I hope your exam went well for you. And a word of caution to everyone on this thread: sometimes these practice question contain incorrect answers. Don’t just memorize, doubt check first.
reply
whisper October 17, 2022

so on the exam we will have the sim , and also lab questions like downloading something and the Red Hat Enterprise Server 5.5 64- bit Question?
reply
- bobwyzguy October 19, 2022
  
  Not necessarily all of them.
  reply
Ahmadallica October 17, 2022

I am glad I passed the test at first attempt. The information here on this page is very useful. Please double check all the answers on other websites because many of them are answered incorrectly. I got the Linux Sim and I found using the command netstat -nltp is better than netstat -nalp because it easily shows the TCP connections so you can find the malicious one. Good Luck to everyone! Now next is CISSP!
reply
whisper October 18, 2022

@Ahmadallica do you have a email i could reach out to?
reply
Thatdude October 23, 2022

I took the CASP last Thursday at home. The at home testing went well, no horror stories here like I’ve heard with others. Unfortunately, I did fail my first attempt.

Here’s where I think I went wrong. First, I took the exam Thursday evening after a full days work. I was burnt out by this time and really just didn’t want to sit for it. The next thing, I read Mark Birch’s book twice and did the practice test once. I ended with 21 sections called out in the exam results.

Going forward, I’ve been hitting all the sections I failed in Jason Dion’s video course and purchased his practice exams. I also plan to retake Marks practice exam seeing how similar some of the questions were.

I felt I was close on the Linux SIM last time but couldn’t find the TCP process. I did find, stop, and disable the rogue process. After reviewing I feel I have the necessary commands to find and kill the TCP process and will delete the rogue service next time.

For the cloud based question it looks like I should go with BGP next time as I think I just guessed initially.

I plan to retake in the next week after I’m done reviewing, I’ll report back!
reply
bobwyzguy October 24, 2022

Thanks for your comments Thatdude. Better luck next time
reply
Thatdude October 29, 2022

Well I passed today on the second attempt!

I finished up with 17 sections marked in the review. I felt confident in my Linux solution. I didn’t delete any anything, I just followed the instructions as written. Find and end the TCP connection. Find the bad.service and disable it on boot. When using netstat -nalp make sure to look for the TCP connection as you might see TCP and UDP. Also, I ran netstat as sudo so it would give me the PID. I rebooted the server after and verified the connections didn’t come back up.

Jason Dion’s course on Udemy and his practice exams we’re absolutely fantastic. Also, thank you to everyone on here. There is a ton of valuable information. On to the CISSP!
reply
bobwyzguy October 30, 2022

ThatDude – Congratulations on your new certification. It is always a good plan to follow up the CASP with the CISSP or the CISSP with the CASP. The content is nearly identical. I’ve got some tips on the CISSP exam too, just search on my blog. Lot’s of CISSP articles. https://wyzguyscybersecurity.com/?s=CISSP
reply
daniel November 6, 2022

The virtual simulation carries plenty of weight and this site is a great source of info, just passed the CASP+ yesterday. PLEASE install a virtual Linux machine or OS and learn the command line and be fluent. When testing most of the time every thought disappears even is the answer is known to you. “If one is in security then all is well”
reply
KingKiller November 10, 2022

I know about the Linux Sim and the disaster PBQ, but I saw someone else mentioned another PBQ. What is that one about? I may just be confused.
reply
Punisher November 12, 2022

Thank you to all of the contributions here. I passed the CASP today on my first attempt. As for the Linux sim, I personally started out with using the locate command and searched for some key words. Not the way you should go about this in the real world if you’re hunting for malware but this worked for the exam. One of the key words I used pointed me in the right direction and I was able to cat the contents of the file which gave me a hint as to what process and connection I needed to kill. Pretty much reverse engineered the question. Confirmed the connection with netstat, confirmed process with ps aux. Finally killed the process, deleted the files, killed the connection, and then did a reboot to confirm the malicious artifacts were indeed gone ( not in that order).
reply
bobwyzguy November 13, 2022

Many hands make the work light. Thanks for your contribution
reply
Achilles November 14, 2022

I don’t think it’s ever advised to just “kill -9”. This stops the process but the linked processes. If you capture all of the process IDs then you can “kill -9” all of them in a list. I usually do this with a:
kill -9 `cat`
(pasted list of pids)
reply
Ariel November 23, 2022

Hi All!

I wanted to share a little of my experience. I tested for CASP on 11/21/22 and passed the exam the first time up. I only had 2 PBQ and the Linux Virtual Environment. I know for sure that I did not get the simulation question correct because I have zero experience with Linux and I was unable to kill the malicious process nor stop it from coming back after reboot. Just wanted to give some of you all out there some hope and let you know that you can definitely pass the test even if you do not get the Linux sim correct. You’ll just have to be very strong with the multiple choice and PBQ questions.
reply
John November 30, 2022

Is there any tips for second PBQ?
reply
bobwyzguy November 30, 2022

John- there are tips galore. Read my entire post, plus all the comments. Ask your question more specifically, like what do you mean by “second PBQ?”
reply
Bengal7 December 11, 2022

Thought I’d add my 2 cents as reading this forum did help me some. I took my first CAS 004 in early Dec 2022. and passed. I had previously failed the CAS 003 two years ago on one try.

I too had the drag and drop PBQ as the first item. I didn’t think it was that challenging and did remember to click Directory Services box for the additional drop down question. (there’s a red ball icon on it after making drag and drops) I am not 100% sure I got it all right).

For the SIM question I had trouble. I had read this forum and basically memorized ‘Tester’ and ‘James Beanbag’ posts from above… I did also do a quick brush up on the relevant Linux commands. Still I blew the question because I used netstat -nalp, or -natp (which gives the PID, making the lsof -i :port# unnecessary I think) , and more flags and did not realize it was listing processes, not services… when I searched for the names of the processes or just anything like I spent a lot of time on this because I thought I’d get it eventually. I didn’t know how to list Services at the time and we are tasked to find services. There was one process listed that ended its name with the word ‘resolve’ so I figured I’d try to stop and disable that one. But upon trying Kill -9 with its PID it responded by saying it’s not a service. I did see a total of 5 or 6 processes total. Some were obviously related to the services the instructions said NOT to disable or stop. So ultimately I simply ran the kill -9 for the remaining processes (two) and moved on. As I understand it Likk -9 does bot the stopping and disabling and that is what is asked, so that is how I left it and moved on. I am pretty sure I bobed the sim but maybe got some credit for running some commands, not sure.

The remaining questions were all multiple choice which I had had studied for overall. Bu the end I felt confident in most of my multiple choice responses except for maybe 10 of them.

Having read in this forum that the SIM likely weighs heavy in scoring, by the end of finishing the exam I felt like I had blown it. I was shocked to see that I had passed.

Interestingly enough I talked with a co-worker who also had very recently passed his CASP in one shot I believe… he said he had no clue regarding the SIM and he basically just skipped it…and passed! He felt the drag and drop was PBQ was easy.

Leads me to believe that al is not lost if one doesn’t do well with the SIM. But if you know how to list services and processes, and use the kill -9 with the correct PID, it should be straight forward
reply
Bengal7 December 11, 2022

**As I understand it kill-9 does bot the stopping and disabling and that is what is asked, so that is how I left it and moved on. I am pretty sure I bombed the sim but maybe got some credit for running some commands, not sure.
reply
angryelvis December 29, 2022

I passed my test this week and I want to thank you for mentioning Virtual Box. I had not heard of that site/software and it was exactly what I was looking for. Your mention of that & that Ubuntu provided machines ready for use in VBox really gave me the opportunity to practice and understand what I was doing in the environment.
reply
Sportynerdguy January 3, 2023

Came here after passing my second attempt. This site was a MAJOR help. Definitely recommend to follow James’ logic but really get familiar with systemctl. Failed the first exam after not fully completing the Linux Sim (only stopped the service). Tried all of the commands but couldn’t find pid even after an hour of digging which then made me rush on the training MC questions. Whole sim could really be done with just systemctl and kill -9 but be sure to run the other commands. Thanks for starting this thread and posting on reddit Bob!!
reply
Taylorbuckeye January 6, 2023

Yesterday was my third attempt at the CASP+ 004 exam. Failed again. My first two attempts were pretty much the same test (and I struggled with the Forensic Sim). This third one was different. I’m very confident I did well on the Forensic Sim this time (thanks to this blog and everyone’s helpful comments). The PBQs were different though and several of the MC questions. This time I had to review code snippets, figure out what they were doing and how to mitigate; not so confident about this one but the other was to harden the server which I think I did well on. Guess I’ll study code snippets some more and try again….hopefully the test won’t change again if I’m able to retake it in a couple weeks….
reply
bobwyzguy January 6, 2023

Interesting comment about your PBQs. I just took and passed the Pentest+ PT0-002 exam today. I had those PBQs on my exam. Thought they were hard, but somehow I got 768 points, enough to pass. I’ll be posting my usually Exam Notes article in a few days.
reply
Droid January 9, 2023

Just wanted to say I passed my test yesterday and similar to Taylorbuckeye had the code snippet question as my second PBQ and lots of new multiple choice questions I didn’t see in any practice exam. I think they might have rolled out a new version of the test for the new year. But the Linux sim I aced thanks to this blog post suggesting practicing on a VM and the comments from everyone.

I did run out of time at the end, got to the final question with about 1min to spare and had to quickly go back to the 2 unanswered questions I had skipped (one was the code snippet), only was able to answer the code snippet PBQ before time ran out. But still passed!

Thanks Bob!
reply
bobwyzguy January 10, 2023

Thanks for your comments and congratulations
reply
Tpumpkin January 13, 2023

I am getting ready to take the exam next week (remote). I have been using the Certmaster from CompTIA and Jason Dion’s course and practice exams. I’ve passed Security + and CySa+ in years past. First time I took the practice exams I was scoring about 70% for CASP. I am studying the areas I am having trouble with the most and obviously focusing on the material I got wrong. Any indication of roughly what percentage we need to be at to pass the exam? Any other tips besides the ones in this thread? This has been most helpful for knowing what to study.
reply
bobwyzguy January 13, 2023

I am happy your found this page helpful, and I am grateful for all the responses. You need to have practiced the Linux Sim. And prepared for the PBQs. You need to score in the 80th percentile to pass, at least as far as we can deduce. Most CompTIA exams require a score of 700 out of 900 which is 78%.

Good luck! I am sure you will do well.
reply
Tpumpkin January 21, 2023

Just wanted to give an update here. I took the exam this morning. I still have not received an email, but I logged into my CompTIA account and what do you know? I Passed! I could not believe my eyes. From the looks of it I think I scored an 84%. I ended this exam knowing it was the toughest one I have even taken. I full expected to fail this exam after I pressed submit.

Most of the questions on the exam I have never seen before. By far the toughest one was the Linux sim. I spent about 40 minutes on this part. At one point I didn’t think I would find the problem, but I kept digging and digging and I found the problems.

Thanks to all the helpful tips! If you are going to take this exam, DEFINITELY practice the Linux portion!
reply
bobwyzguy January 21, 2023

Thanks Tpumpkin – Which is harder? The CASP+ exam or the CISSP exam? They are difficult in thier own ways.

The CASP+ is crazy hard because of the Linux Forensic Sim and the Performance Based Questions. The CISSP is crazy hard because the Computer Adaptive Testing format exploits your weaknesses by giving you more questions in those areas where you are weak.

Which is the hardest?
reply
Tpumpkin January 22, 2023

I have actually not taken the CISSP yet. I was thinking about taking that exam at the end of the year. But I can say with certainty that the CASP is no joke. You really have to read the questions and think critically about the answer. I’ve been working in security for the past 4 years and as a sysadmin for the past 7 years prior. I worked in a primarily Linux shop and I think that helped a lot for me on the Linux sim.

I definitely learned quite a bit throughout the studying process for this exam. Just remember while taking the exam to carefully and methodically read each question. The wording is something you need to get used to, so I highly recommend the CertMaster.
reply
bobwyzguy January 22, 2023

I have many articles on my website about preparing for the CISSP, so when you get there, give them all a look. You can find them using the search function on my site. I teach the CISSP as well, so when you are ready reach out to me.
reply
Redbeard42 January 25, 2023

When using sudo for the sim, are we prompted with a password to enter it? If so, what’s the PW? I failed my first exam and just blew by this due to being lame with Linux. So, having researched the heck out of this, I am about ready for the second try. Been a Windows/VMware guy most of my career and only know what I need to know because of ESXi. Plus, I always research online for scripting and all. This blasted exam is forcing me to know Linux stuff more than I ever wanted.
reply
bobwyzguy January 25, 2023

Its been long enough I don’t remember if a password was required for sudo, but it it was, it would have been given in the simulation scenario.

As far as Linux goes, all of the certifications are increasing the Linux content. So welcome to Linux.

The reason for this is that employers expect their IT and IS staff to be comfortable with Linux. If you are planning to work in this field for many more years then you should get comfortable with Linux.
reply
Redbeard42 January 26, 2023

OK, Thanks. The scenario gives Username of labXXXadmin with the password of XXXyyYzz! so I assume that would suffice fo sudo. Correct? I’ve been IT for over 40 years and still want to work. I really love this job but could retire if I wanted to.
reply
bobwyzguy January 26, 2023

That should work
reply
JohnnyBlaze January 31, 2023

Bob,

Im about to take my CASP+ 04 on friday. I think im prepared… I trying to fumble through some labs form certmaster but im kind of confused at places. Will it be straight forward in the exam?
reply
bobwyzguy January 31, 2023

If you have read through the article and the comments, you should know what to expect. CISSP is all multiple choice, but that said the computer adaptive format will exploit your weaknesses. Memorizing practice exam questions and answers would help. Learn how to think like a manager, read the scenario, read the question, then choose the answer a manager would choose (NOT the technical, fix-me answer) Manager choices would involve planning, documentation, and reporting, policies, compliance. Everything leads to Business Continuity and Disaster Recovery. Don’t overthink it, go with your first impression.

Good luck!
reply
Johnnyblaze February 4, 2023

So I took the test last night. Failed(my first time). Thought I did well, knew most of the questions. I didn’t skip anything on purpose or on accident. I got two pbqs right off the bat I was not prepared for. Code snippets and another one I wish I could remember right now. I’ll have to look it up and find it.
But, as a test taker I felt confident. Then, when I looked it up, I saw the dreaded fail.
I’m going to keep studying and take it again at the end of the month.
reply
bobwyzguy February 4, 2023

Your code snippets PBQ is a lot like one I had when I took the Pentest+ last month. Check out the description in this article. Maybe it will jog your memory and you can add some insights of your own.

https://wyzguyscybersecurity.com/comments-on-the-comptia-pentest-exam-pt0-002/
reply
gyan February 10, 2023

The keyboard setting for lab is US and I found it difficult to type | from UK keyboard. Any idea which key to use to type | on command?

Can we change the keyboard setting? I doubt it..
reply
bobwyzguy February 10, 2023

You would need to work that out with the testing center. Taking the test at home – this is why I like the testing center.
reply
Third times a charm! February 11, 2023

Thanks to this site and another discussion forum I passed my CASP yesterday. The discussion above with the test taker was beneficial on my exam. I had taken this exam 2 times previously and failed miserably. Yesterday I had some real confidence and passed.
Look folks, I studied hard for this test. You have to review questions from dumps and find the best answers. I installed Ubuntu and not only became familiar with some of the commands to use but also became comfortable with services and the contents of the directories within Linux. Why not?!? I couldn’t hurt! Thanks again for this site and the discussions & comments from all above. Very helpful to this guy!!
reply
Mike February 16, 2023

Thanks to this blog. I passed yesterday from the first attempt.

Insights and comments were very helpful. It guided me to install Kali on my old laptop and it made me fluent in commands I might need at the exam.

Drag and drop was my first question and I did as described above (1 – Directory server, 2 – SCADA, 3 – VPN concentrator with BGP modified)

Regarding Forensics SIM: there were no TCP connections to stop except proctored via port 22 popping up after I did some changes. So I just grep malicious.service, stop and disable that. Then cd to etc/systemd/system, ls and sudo rm malicious.service. After reboot it never came back.

Regarding multiple choice questions: many of them were tough enough, and they broke my eyes reading multiple times on the eyebreaking exam centre screens. Thought it was a great help finding this PDF ( https://www.dumpscollection.net/pdf/CAS-004/comptia.ensurepass.cas-004.pdf.exam.2023-feb-01.by.blake.158q.vce.pdf.html ) few days before exam as many of the questions I met on the exam and didn’t waste the time deciding which answer is better, because I did so in advance.

I ended up with 20 minutes to review the answers, but after changing a few, I decided that I can do even worse, so I just ended the exam and it was PASS, however I expected Fail.

Thanks to this blog once again and Good Luck for every one who is going to sit the exam soon.
reply
bobwyzguy February 16, 2023

Congratulations on your passing the CASP+. And thanks so much for your extensive comments and insights. I am sure other test takers will find them helpful.
reply
President Valentine February 25, 2023

Passed CASP+ yesterday, this blog was really helpful. Thank you all for your insights!
reply
singingking February 28, 2023

I took the exam today and I passed at the second attempt. Comments from “Mike February 16, 2023” really helped. My suggestion for anyone taking the exam soon is to familiarize themselves with Ubuntu bash commands. Also, get the CompTIA CASP+ Certification Guide book from Mark Birch. The book dumbed down the whole course.
reply
bobwyzguy February 28, 2023

Thanks for your book selection. I’ll have to check it out.
reply
redbeard42 March 21, 2023

Passed the exam yesterday. What a relief. When I failed the first time, I passed on the Sim since I was clueless. I studied the heck out of Linux commands and all and that clearly helped me pass. Interestingly enough, when I closed out the Sim the first time, it caused me to get assistance as it froze the system I was working on. The monitor had to come in and allow me to continue. It happened again yesterday, freezing the system when I rebooted the VM to make sure the malicious service didn’t come back. This monitor had to call for tech support. She got me back into the VM and I could validate the service was no longer there. So, thanks for this blog as it certainly helped me get through this. At 66 years old, I think I’m done with any more certs. VMware pisses me off with their stupid cert changes. I have been certified since v3.x back in 2009 and passed every update to v6.5. They just want more money to move to any further updates.
reply
bobwyzguy March 21, 2023

Thanks for your comments and congratulations!
reply
concentrativity March 31, 2023

Took the CAS-004 today. I had 2 PBQs: the drag and drop covered here, and a code security one. The linux simulation was still there.
reply
bobwyzguy March 31, 2023

Congrats! Care to share a little more about the “code security” PBQ?
reply
blues008 April 9, 2023

Passed today…

82 questions and 3 PBQs. The PBQs were the one that you have to drag and drop the directory server, scada master and VPN concentrator (There is an additional option for the VPN concentrator on site B but I choose something about the SCADA controller), this linux simulation and the old code snippet sim from CAS003 that you can find here https://www.examtopics.com/discussions/comptia/view/62960-exam-cas-003-topic-1-question-480-discussion/

I got the linux simulation but I have to say that sudo netstat -nltp which is the must recommended command in this section didn’t help me.

I had to use sudo netstat -tulpen and it showed a service running on port 3991 but I was not able to know its name just the pid however the process in my case seems to be running at least 3 different pids. The sudo lsof -i : command didn’t show anything to me and sudo systemctl –type=service | grep is useless in case that you don’t know the entire name of the service.

I knew that I had to check the /etc/systemd/system directory for sure so I did the following:

1) sudo netstat -tulpen (saw the service running several pids but one was running on port 3991 and used for SYN_SENT.

2) cd /etc/systemd/system (went to the /etc/systemd/system directory)

3) ls -la (to list all the files and if you know what ubuntu have in this directory you will see the obvious answer here. There is a malicious.service file (LOL) there is no way a hacker would name his file like that… anyway thank you comptia. You made it easy!.

4) cat malicious.service (to see the content of the file… you will see that it runs several sh*t).

5) sudo systemctl stop malicious.service (to stop the service)

6) sudo systemctl disable malicious.service (to disable the malicious service at start up).

7) Now ran sudo netstat -tulpen again and saw that the service on port 39991 that was sending SYN_SENT (clearly used for DDOS) was not running anymore but to be sure I had to delete it and reboot so I did the following.

8) sudo rm malicious.service (To delete the file)

9) reboot -n (restarted the server… be aware that the simulation is slow and the restart took about 3 minutes).

10) Login again, open terminal and ran netstat -tulpen and saw that the service was gone. Went to /etc/systemd/system and the malicious.service file was not there anymore.

11) There was not any “submit” or “done” button for this simulation you just click “next” and hope for the best but I’m pretty sure that I got it right.

Hope this helps anyone else. Good Luck!
reply
bobwyzguy April 9, 2023

Thanks for your comments especially on the code security PBQ
reply
Drizz April 13, 2023

Passed on my first attempt three days ago……. somehow. Even after accidentally skipping the notorious Linux simulation question.

My two PBQs were the vulnerable code snippet one from CAS-003 (https://www.examtopics.com/discussions/comptia/view/62960-exam-cas-003-topic-1-question-480-discussion/), and and the nmap scan interpretation question, also from CAS-003 (https://www.examtopics.com/discussions/comptia/view/52461-exam-cas-003-topic-1-question-370-discussion/). I was fully prepared for the code snippet one, but the scan interpretation one took me by surprise. The answers in the discussions on ExamTopics are pretty similar to what I chose, so just familiarize yourself with those and understand *why* those are the correct answers, and you should be fine.

But man, words cannot convey how close I was to walking out when I accidentally skipped that Linux sim. It came up at around question 30 out of 78. It gives you three pages of warnings, the general message of “you are about to enter the virtual environment, you cannot come back to this question” repeated several times, and you have to click “Next” to proceed through those pages. And then you get to the page with the actual simulated environment; there will be your shell in the background, and the pop-out box with instructions on how to complete the question on the right. Once you get here, ***DO. NOT. CLICK. NEXT.*** Like an idiot, I assumed that the instructions box would go away when you click “Next” again, and the actual question will begin. No. It will instead close the entire question; no warning, no confirmation, no “are you SURE you want to do that?,” nothing. It will just move you to the next multiple choice question and you will not be able to go back. Again, ***DO NOT CLICK NEXT*** when you get to the sim and you see that instructions box. Use the minimize button at the top to close it instead. I was unbelievably frustrated when it happened, almost to the point of walking out because I thought it was a guaranteed fail.

I ended up just skimming and taking my first gut-reaction guess at the remaining multiple choice questions, and I was flabbergasted to see that “Pass” on the printout after the test.

The study material I used was the Dion Training practice tests on Udemy, and the test questions and discussions on ExamTopics.com (https://www.examtopics.com/exams/comptia/cas-004/). I would say ExamTopics is probably your single most valuable resource as about 70% of the questions I encountered on the exam could be found there. It’s well worth the $50 in my opinion because it’s almost a guaranteed pass, assuming you study those questions well, and more importantly, checking the discussions section to understand *WHY* the correct answers are correct.

For the sim, you’ll probably want to install a Kali VM, set up your own fake “malicious” service to run on boot, and get some practice with netstat, lsof, ps, systemctl, and grep commands and how you use them to find/identify/stop/disable services. You should also probably be familiar with where services are located and how they are structured. I wish I could give more insight into exactly what the question looks like but……. y’know, I fumbled that one even though I was fully prepared for it. Just do what everyone else has said about that question and you should be fine haha.

Overall I am ecstatic that I passed, but I still have some pretty sour feelings about just how insanely easy it is to accidentally outright skip the simulation. Do y’all happen to know of any kind of feedback/complaints department at CompTIA that would actually take constructive criticism? Because, if nothing else, there needs to be at least some kind of warning when you attempt to click “Next” instead of instantly skipping the question, especially after it makes you click Next through several pages before that. I don’t want anyone else making the same mistake and end up failing, because I honestly feel I just got lucky.
reply
Geeno April 18, 2023

First, thank you for compiling all of the useful information here. Much to my amazement, I passed on my first attempt. I happened to see the comment from Drizz and used his input during my final cram session.

For the sim question, I could not for the life of me figure out what process I was supposed to kill. There was nothing named like the service and couldn’t figure it out. I was able to identify the service and stopped, disabled removed files and then restarted daemon. That all I think I got right and was in line with what folks had been saying. But I was able to pass even with missing one of the objectives on the sim.

I think I hit the next rotation on PBQs. The two I got were similar to the ones Drizz had posted. So I was very thankful for the post. I would not have been prepared for them if I had not seen it.
PBQ #1 – 2 code snippits asking for vulnerability and fix action

PBQ #2 – Based on scan results identify the server role and which ports need to be closed for single secure function of the server.

I used Comptia material and Jason Dion practice exams. I checked out the questions posted on https://www.examtopics.com/exams/comptia/cas-004/ during my final cram session since it was only just posted. There are a lot of questions that are used on the site but the have incorrect answers posted and the user responses are not always in agreement. So take it with a grain of salt or plan to really research the answers yourself.

I was getting practice exam scores in the high 70s and felt pretty comfortable with the sim and PBQ and was able to make it out alive. I hope this helps! Best of luck to everybody.
reply
bobwyzguy April 19, 2023

Thanks Drizz and Geeno for your great contributions. The community of test takers have taken my original post and made it into something amazing! Thanks everyone for your contributions.
reply
NotGoodAtThis April 22, 2023

For locating the malicious process, once you find malicious.service (or whatever file), I would recommend viewing the contents of the file using “cat” (ex: cat /etc/systemd/system/malicious.service). I personally would grep for the “ExecStart=” line and see what it is starting. So, possibly the steps are:
Task 1: Identify and kill a rogue TCP process
1. netstat -tulpn
-t: Displays specifically TCP connections.
-u: Displays specifically UDP connections.
-l: Displays only listening connections.
-n: Displays numerical addresses instead of host names.
-p: Displays the name of the program that owns each connection.
2. identify the unusual port being opened (weird port number? active connection with weird PID/Program name section?, typically in a LISTEN state?)
3. lsof -i :3991 [replace 3991 with the “Local Address” port number]
-i: Display information about all processes that have a network socket open on a specified port
4. kill -9 4360 [replace 4360 with the “PID” results of your lsof command]

Task 2: Find a malicious service and remove it.
1. Typically, netstat -tulpn will provide the process name in the PID/Program name section.
2. If you can not find the malicious service (somehow), use systemctl list-units –type service –all (or service –status-all) and scroll through the results.
3. cat the file to check if the service file (likely in “/etc/systemd/system”) is starting another file in /usr/bin, /opt ,or elsewhere. EXAMPLE: cat /etc/systemd/system/malicious.service | grep -i execstart
4. If it is starting another malicious file, rm -f [/path/to/file] the file.
5. Stop the service: systemctl stop malicious.service
6. Disable the service from starting on boot: systemctl disable malicious.service
7. Delete the .service file: rm -f /etc/systemd/system/malicious.service
8. Reboot the machine and check to ensure the service does not reappear.
reply
Edgar Ramirez April 23, 2023

Thanks for sharing!

Passed the CASP+ CAS-004 exam on 18/Apr/2023.

Got 82 questions in all.

All 2 PBQ questions and 1 VM kali Linux Simulation are available in the newest version of PassLeader CAS-004 dumps with 450 Q&As (https://www.passleader.com/cas-004.html).

Good luck!
reply
Thatoneguy April 29, 2023

Thanks to everyone for contributing to this thread, super helpful!

I passed the 004 today 4/29, according to the paper after, I only missed 9 questions, possibly partial due to how many had “select 3.”

PBQ’s: Vulnerable code snippet/resolution (easy) and the disaster replication drag n drop, with the drop down on the concentrator.

For the Linux Sim, I found it to be relatively simple, service was named super obvious.. used systemctl status to give me an overview in which I found an odd connection over 1337. Like blatantly obvious if you know anything about networking. Used netstat -tlpn to identify the tcp connection, although this failed me, so I had to netstat -a and found the odd connection there. Lsof -i :*local port* to identify the pid to kill. There were two, so killed both. Found the service in /etc/systemd/system as always.. stop/disable, rm -f it. Verify the tcp process was gone as well as the service upon reboot. Good to go.

Multiple Choice Questions were relatively straightforward. Typical CompTIA with the *choose 3 out of the 8* that are BEST. I recommend using the Passleader – https://www.passleader.com/cas-004.html CASP 004 dump my man Edgar above linked. The questions were spot on and I studied all 450 it included. Get familiar and VERIFY ANSWERS, as there are 100% some wrong ones, but for the most part its a great resource and was my main resource once I bought it. Worth the money. ExamTopics dump got taken down, so clearly it was accurate, and I can confirm, very very similar questions 🙂

I also used Jason Dion’s 6 exams on udemy as well as pocket prep’s app when I had some random time throughout the day.

Happy to have passed my first time, good luck to everyone that is planning on knocking this one out! KNOW YOUR LINUX. Oh.. and encryption.
reply
bobwyzguy April 30, 2023

Thanks for sharing and congratulations on passing your certification.
reply
Mike May 3, 2023

JUST PASSED CASP+!!

This page was defiently a huge help for me, considering the fact that I had 0 Linux experience lol. I got the 2 code snippets and the BC/DRP PBQs as the first two questions. Thanks to all the comments in this page, the VM simulation went smooth. I spent around 15-20 minutes on it to make sure I did everything right. As far as the multiple choice questions, I feel like they weren’t as hard/complex as I though they would be. I feel like CYSA+ was a lot more challenging than this exam. Anyways, huge thanks to everyone who contributed to this page!
reply
bobwyzguy May 4, 2023

Congrats and thanks for your comments
reply
Shawn May 5, 2023

I have to say a big thank you to Bob and all contributors to this thread. Reading here was a defining factor for a first time pass of the CASP+ Exam today. The guidance of what to study was tremendously helpful. I used CertMaster, Mark Birch’s Study Guide and Dion from Udemy. The training was all here and there for self study. Next is CISSP. Good luck to everyone.
reply