ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-001 All Questions

View all questions & answers for the CS0-001 exam
Go to Exam

Exam CS0-001 topic 1 question 141 discussion

Actual exam question from CompTIA's CS0-001
Question #: 141
Topic #: 1
[All CS0-001 Questions]

HOTSPOT -
Malware is suspected on a server in the environment. The analyst is provided with the output of commands from servers in the environment and needs to review all output files in order to determine which process running on one of the servers may be malware.
Instructions:
Servers 1, 2 and 4 are clickable. Select the Server which hosts the malware, and select the process which hosts this malware.
If any time you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.



Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by TT at May 14, 2020, 5:05 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
s3curity1
Highly Voted 4 years, 10 months ago
I'm thinking this is notepad.exe found on server 1 dmz connected to server 4 internal over port 443. This looks suspicious and why would notepad.exe be communicating in the first place. Also, processes/codes/attack framework can be injected into notepad to do malicious stuffs.
upvoted 12 times
s3curity1
4 years, 10 months ago
Also, this process may be initiated by the attacker, and is being used to pivot from the dmz going to internal
upvoted 1 times
mejt
4 years, 10 months ago
Notepad process does not show in netstat result...
upvoted 2 times
Blind_Hatred
4 years, 9 months ago
Yes it does: Server 1: PID 1286 (Notepad.exe) established connection with 192.168.50.6:443 (Server 4)
upvoted 4 times
Blind_Hatred
4 years, 9 months ago
Typo: PID 1276
upvoted 1 times
...
...
...
...
...
BigBo01010
Highly Voted 4 years, 9 months ago
This question is on the exam.
upvoted 5 times
...
[Removed]
Most Recent 2 years ago
I've looked at different test banks and both of them had the answer as Server 4 and Svchost.exe. I went through it and I believe the answer is svchost.exe but can't conclude which server. Here's my thought process on why it's svchost.exe and please correct me if I'm wrong here. For this symbol ">" = Connecting local to foreign address Server1 - 10.1.1.2 > 192.168.50.6 over various ports and PID 1276 and 276. 1276 shows as notepad and 276 shows as svchost. Server2 - 10.1.1.3 > 192.168.50.5 over various ports and PID 516 & 4. 516 shows svchost and 4 shows as system. Server 3 - nothing Server 4 - 192.168.50.6 > 10.1.1.2 over various ports and PID 384 and 540. 348 shows as svchost and lsass shows as 540. All servers have svchost and/or PID in their logs which makes me believe it's without a doubt svchost. Server 1 and 4 I'm having a difficult time concluding as the culprit. I'll default to the test banks saying Server 4 and svchost.
upvoted 1 times
...
kdubb2307
2 years, 10 months ago
server 1 and server 4 are both connected to IP 172.30.0.148 port 49242 PID 348
upvoted 1 times
...
andrewdh
3 years, 10 months ago
So my Question is this. I agree Notepad reaching out on port 443 from Server 1 is very unusual...but why is Server 4 accepting this connection? Could there be a Reverse shell happening here?
upvoted 2 times
...
Ashfaq2
4 years, 6 months ago
Server 1 : Notepad.exe Server 2 : explorer.exe Server 4 :svchost.exe ???
upvoted 1 times
diablobashier
4 years, 6 months ago
can you confirm !!!
upvoted 1 times
...
...
rodya2020
4 years, 6 months ago
This question was on the exam (october-2020)
upvoted 2 times
FCD
4 years, 6 months ago
What was the answer you chose?
upvoted 1 times
rodya2020
4 years, 6 months ago
Server1 notepad.exe Shouldn't be a connection on port 443 for that one
upvoted 2 times
...
...
...
ITeaGuy
4 years, 6 months ago
People do your research. Excessive memory use could mean corruption or something else... Normally many services utilize svchost but if there is high CPU/memory usage, chances are a file or two using svchost may be infected... Notepad, sure it may contain a virus... but in this case... Hmmmm
upvoted 1 times
...
[Removed]
4 years, 6 months ago
The correct answer is notepad.exe running on Server1 (10.1.1.2). If you look closely, notepad.exe is running as a service instead of console. You check the PID and correlate it with the netstat output, its established a communication on port 443 which is an anomaly as notepad.exe has no business connecting on port 443. This simply means the malware has disguised itself as a service in notepad.exe to evade suspicion. ref: https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/
upvoted 5 times
[Removed]
4 years, 6 months ago
There's also an outbound connection from 192.168.50.6:443 -> 10.1.1.2:57433 ESTABLISHED connection with PID 348 (svchost.exe) as a result of the above.
upvoted 1 times
[Removed]
4 years, 6 months ago
On server4
upvoted 1 times
...
...
...
MagicianRecon
4 years, 9 months ago
Why would a notepad.exe have any sort of outbound connections? svchost.exe is not a malware https://www.lifewire.com/scvhost-exe-4174462
upvoted 1 times
...
Blind_Hatred
4 years, 9 months ago
I'm at a loss here. All I can tell for sure is: Server 2 is doing nothing interesting. There is a connection going on between Server 4 (Port 443, process svchost.exe) and Server 1 (Port 57433, process notepad.exe). Now, a notepad.exe process having any sort of connection is an automatic red flag... . That said, is there any legitimate reason for svchost.exe to listen on port 443? Could that be an IIS server or something? Anyone got a clue?
upvoted 2 times
Blind_Hatred
4 years, 9 months ago
With everything I know, I would say notepad.exe is the culprit on Server 1, and it's making connections to 443 on Server 4 (probably get access to the internal network).
upvoted 6 times
josephconer1
2 years ago
agreed. I think being established via 443 is sus already with a notepad.exe, then on top of that it's the only anomaly throughout all of the servers. Definitely an outlier and makes me think it's Server 1 / notepad.exe as well.
upvoted 1 times
...
...
...
battlecreekspartan
4 years, 10 months ago
Wouldn't it be explorer.exe as it's making the RDP connection?
upvoted 1 times
...
NovO
4 years, 11 months ago
Consider this, there are 3 machines in question. 2 in DMZ, typical to have outside network communication of some sort, 1 in INTERNAL typically do NOT communicate outside. You will notice Server 4 has RDP connections with external (public IP). That helps define the server of concern IMO. The other servers do also have external connection sessions, but as stated that is not necessarily unusual, but could still be worth investigating after focusing on the internal machine. The process of concern I do not have as much explanation other than the RDP sessions, on server 4, are linked to the PID for Svchost.exe
upvoted 5 times
Blind_Hatred
4 years, 9 months ago
Those are not external IPs. The IPs you're talking about (172.30.0.X) are within the RFC1918 class B range of 172.16.0.0 – 172.31.255.255. Also, both Server 1 and Server 4 have exactly the same communication with the same IP addresses, for the same ports (3389, or RDP) which leads me to believe that these machines are being managed remotely by a server administrator. In fact, I believe this is a hint here. The server admins are not connecting to Server 2, so I feel like that one is already out of the question because the server admins aren't even looking into that one. They want to know which of the two remaining servers has malware. We're seeing a connection between Server 1 and Server 4 in which notepad.exe (on Server 1) is connecting to port 443 on Server 4). Server 4 could be a webserver (svchost.exe has been known to listen on weirder ports than 443) and Server 1 (on the DMZ) might be trying to find a way into the internal network through Server 4. So again, I'm thinking Server 1 and Notepad.exe. I haven't ready anything here in the comments that would change my mind... .
upvoted 5 times
...
lupinart
4 years, 11 months ago
i agree with your assessment. i came to the conclusion after 20 minutes of reading the logs
upvoted 2 times
...
...
TT
4 years, 11 months ago
Does anyone have an explanation for this? Im lost.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago