ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CAS-004 All Questions

View all questions & answers for the CAS-004 exam
Go to Exam

Exam CAS-004 topic 1 question 428 discussion

Actual exam question from CompTIA's CAS-004
Question #: 428
Topic #: 1
[All CAS-004 Questions]

SIMULATION
-

During the course of normal SOC operations, three anomalous events occurred and were flagged as potential IoCs. Evidence for each of these potential IoCs is provided.


INSTRUCTIONS
-

Review each of the events and select the appropriate analysis and remediation options for each IoC.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.





Show Suggested Answer Hide Answer
Suggested Answer:
by SirL at April 19, 2024, 8:38 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
grelaman
5 months, 2 weeks ago
IoC1: Analisys: "An application is performing an automatic update" It is a CNAME resolution sequence. 1. Apache_httpd is initiating DNS queries 2. The DNS queries go through two internal DNS servers (10.1.1.1 and 10.1.2.5) 3. The third entry appears to query the domain 3a129sk219r0slmfxzzz000.s.domain, likely as a result of the CNAME returned previously 4. The last query resolves this CNAME to the actual IP address (108.158.253.253), which is likely the server the Apache HTTP service is trying to reach. Remediation: "No further action is needed" IoC2 and IoC3: I agree with the given answers.
upvoted 2 times
...
23169fd
8 months ago
Given answer is correct. IoC1: Analysis: "Canonical name records in a public DNS cache are being updated." Remediation: "Configure the DNS server to perform recursion." IoC2: Analysis: "Someone is footprinting a network subnet." Remediation: "Block ping requests across the WAN interface." IoC3: Analysis: "An employee is using P2P services to download files." Remediation: "Enforce endpoint controls on third-party software installations."
upvoted 3 times
...
MacherGaming
8 months ago
IOC 1: This is a DNS canonical name (CNAME) update. Is this malicious? Unknown, but it certainly looks suspicious. Solution: Configure the DNS server to perform recursion. This will allow the server to query other DNS servers to validate requests which reduces the likelihood of malicious updates. IOC 2: Someone is footprinting a network subnet. A single source IP addres with pings to incrementing IP addresses. Solution: The log indicates the network device is droping ICMP requests. No further action is needed. As a side note, if this WERE coming across the WAN interface we wouldnt have a private IP address as the source. IOC 3: An employess is using P2P services to download files. A GET request for x-bittorrent.gzip from an external IP (2.1.0.0) with a successful HTTP response (200). Solution: Enforce endpoint controls on third-party software installation.
upvoted 2 times
light3r1
6 months, 2 weeks ago
Agreed.
upvoted 1 times
...
...
b49eb27
10 months, 3 weeks ago
i partially agree with these. IOC 1:analysis - application is performing an update (The evidence is more toward an application updating initiated by the web server which is behavior for an update. Remediation: nothing . IOC2:analysis- footprinting a subnet remediation - block ping requests. IOC3: analysis - Employe using PTP to download files remediation - blocklist of malicious ports
upvoted 1 times
armid
8 months, 1 week ago
i agree with you except last remediation would be enforce controls on 3rd party app installs (bit torrent clients). Bit torrent ports are not necessarily malicious.
upvoted 1 times
armid
8 months, 1 week ago
the only thing that is bothering me a little is that why WAN interface in Remediation 2. Who says its WAN interface. But its the most probable answer they wanted.
upvoted 1 times
...
...
...
SirL
10 months, 4 weeks ago
Hi guys, is given answer correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago