ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-003 All Questions

View all questions & answers for the CS0-003 exam
Go to Exam

Exam CS0-003 topic 1 question 333 discussion

Actual exam question from CompTIA's CS0-003
Question #: 333
Topic #: 1
[All CS0-003 Questions]

SIMULATION
-

An organization has noticed large amounts of data are being sent out of its network. An analyst is identifying the cause of the data exfiltration.


INSTRUCTIONS
-

Select the command that generated the output in tabs 1 and 2.

Review the output text in all tabs and identify the file responsible for the malicious behavior.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.









Show Suggested Answer Hide Answer
Suggested Answer:
by Popeyes_Chicken at Jan. 27, 2025, 4:56 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Popeyes_Chicken
1 month, 2 weeks ago
In my opinion, all correct except the file being used for malicious behavior. The sftp.exe file hash matches, but legitimate programs can also be abused / used to live off the land. Multiple connections are also being established to different public addresses. cmd.exe looks to be a red herring, I'm leaning toward sftp.exe. Thoughts?
upvoted 2 times
JunkyJunk
1 week, 3 days ago
definitely see the data exfiltration for sftp and then there's cmd.exe's discrepancies between hashes. This is a CompTIA question...both answers might be correct but not entirely straightforward.
upvoted 1 times
...
fab34
3 weeks, 5 days ago
cmd.exe has a memory usage of 18.020 kbits thats why i would go with the cmd.exe
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago