ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CAS-004 All Questions

View all questions & answers for the CAS-004 exam
Go to Exam

Exam CAS-004 topic 1 question 146 discussion

Actual exam question from CompTIA's CAS-004
Question #: 146
Topic #: 1
[All CAS-004 Questions]

SIMULATION -
You are about to enter the virtual environment.
Once you have completed the item in the virtual environment, you will NOT be allowed to return to this item.
Click Next to continue.


Question and Instructions -
DO NOT perform the following actions within the virtual environment. Making any of these changes will cause the virtual environment to fail and prevent proper scoring.
1. Disabling ssh
2. Disabling systemd
3. Altering the network adapter 172.162.0.0
4. Changing the password in the lab admin account
Once you have completed the item in the virtual environment. you will NOT be allowed to return to this item.

TEST QUESTION -
This system was recently patched following the exploitation of a vulnerability by an attacker to enable data exfiltration.
Despite the vulnerability being patched, it is likely that a malicious TCP service is still running and the adversary has achieved persistence by creating a systemd service.
Examples of commands to use:
kill, killall
lsof
man, --help (use for assistance)
netstat (useful flags: a, n, g, u)
ps (useful flag: a)
systemctl (to control systemd)
Please note: the list of commands shown above is not exhaustive. All native commands are available.

INSTRUSTIONS -
Using the following credentials:

Username: labXXXadmin -
Password: XXXyyYzz!
Investigate to identify indicators of compromise and then remediate them. You will need to make at least two changes:
1. End the compromised process that is using a malicious TCP service.
2. Remove the malicious persistence agent by disabling the service's ability to start on boot.

Show Suggested Answer Hide Answer
Suggested Answer: See explanation below.
Find the malicious service and use ג€Killallג€ switch command to end the process.
by romero318 at Sept. 2, 2022, 3:48 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dangerelchulo
Highly Voted 2 years, 3 months ago
Passed the TEST. Use sudo before any command the password is the same password provided, everything in <> is not part of the command is variable. Sudo will show you every detail you need. First command $sudo netstat -nltp, this will show you ip, port, pid, name of task. For added value you can also run $sudo lsof -i :<port>. Now you need to find the service so you use $sudo systemctl --type=service | grep <name of task>, this will give you <something>.service my was <something>-resolve.service forgot the full name. Suggest you do a $sudo systemctl status <full name service> to compare. After all that lets kill it all, First kill the pid $sudo kill -9 <pid>. Then lets complete the second part $sudo systemctl stop <full name service>, follow by $sudo systemctl disable <full name service>. Now for the cream on the top you verify that is gone $sudo netstat -nltp and $sudo systemctl status <full name service>. That is it good luck everyone.
upvoted 31 times
23169fd
5 months ago
$sudo netstat -nltp $sudo lsof -i :<port> $sudo kill <PID> $sudo systemctl list-units --type=service $sudo systemctl disable malicious_service $sudo systemctl stop malicious_service $sudo rm /etc/systemd/system/malicious_service.service
upvoted 3 times
...
youngprinceton
2 years, 3 months ago
did you pass with the answers from here?
upvoted 3 times
dangerelchulo
2 years, 1 month ago
the question and answers are correct, the choices are not. I had to build my own dataset with correct answers. I paid for the comptia package so I just checked some of the questions against their own book and the answer was obvious
upvoted 10 times
youngprinceton
2 years, 1 month ago
also when you are saying name of task what will the name of task be
upvoted 3 times
...
youngprinceton
2 years, 1 month ago
how can i reach out to you and can you please be better detailed in the commands needed for the sim? I was honestly confused a bit by what you wrote cause i need to know exactly whats needed
upvoted 1 times
...
Load full discussion...
...
...
...
Broesweelies
Highly Voted 1 year, 9 months ago
1)Use the sudo netstat -nltp command to list all listening TCP and UDP ports, along with their associated process IDs and names. 2)Use the sudo lsof -i :<port> command to get more information about the process running on a specific port. 3)Use the sudo systemctl --type=service | grep <name of task> command to find the name of the service associated with the compromised process. 4)Use the sudo systemctl status <full name service> command to verify the status of the service and confirm that it is the correct one. 5) Use the sudo kill -9 <pid> command to kill the compromised process identified earlier. 6) Use the sudo systemctl stop <full name service> command to stop the service. 7) Use the sudo systemctl disable <full name service> command to prevent the service from starting automatically on boot. 8) Use the sudo netstat -nltp command and sudo systemctl status <full name service> command to confirm that the compromised process and service are no longer running.
upvoted 18 times
...
IT_Master_Tech
Most Recent 7 months, 4 weeks ago
Where is the answer?
upvoted 1 times
...
e4af987
8 months, 1 week ago
I just took the test. Waiting for results but this simulation screwed me up. I probably should have spent more time on this question. When I practiced this on my own laptop it wasn't an issue - when it came to the simulation I totally forgot everything and had to pass up this simulation. If you hit the Next button - you wont get another chance to do this simulation so you BETTER practice and remember this one!
upvoted 2 times
SirL
7 months, 2 weeks ago
hi, was it malicous.service
upvoted 1 times
...
...
Waltsthe
8 months, 3 weeks ago
Which OS should I be practicing this on? I don't recognize the Linux version.
upvoted 1 times
...
D1960
10 months, 2 weeks ago
Why use netstat? Why not just find the service name that does not look right. Reading these replies it seems the service name may be: - service - malicous.service - service.service - servicename So just use: $ sudo systemctl list-unit-files | grep -i service then $ sudo systemctl stop <service> $ sudo systemctl disable <service>
upvoted 5 times
IT_Master_Tech
1 week ago
Make sense to me. I will take the exam tomorrow and will go with that if I get the sim.
upvoted 1 times
...
...
Delab202
11 months ago
Don't waste your time on long and unneeded commands. Step 1-Sign in using the username and password Step 2- click on terminal icon Step 3- Type this command sudo systemctl status malicious.service The system will show you a bunch of info the key one that you are looking for is the enabled status. close the terminal app. Step 4- Click on terminal again and type sudo systemctl disable malicious.service Step 5- type sudo systemctl status malicious.service The system will show you a bunch of info the key one that you are looking for is the disable status. close the terminal app. You are done. Don't memorize unnecessary commands.
upvoted 2 times
Trap_D0_r
10 months, 3 weeks ago
it's not enough to simply disable the service, you also need to stop it currently running. You may want to throw a <sudo systemctl stop malicious.service> as step 4.5.
upvoted 2 times
...
D1960
10 months, 2 weeks ago
How do you know what the "malicious.service" is to begin with?
upvoted 2 times
...
...
Anarckii
11 months, 2 weeks ago
Sudo netstat -tulpn Sudo lsof -i:<port number> Sudo systemctl list-unit-files –type=service Sudo kill -9 service.service Sudo systemctl stop service.service Sudo systemctl disable service.service Sudo netstat -tulpn Sudo systemctl status service.service
upvoted 1 times
...
joinedatthehop
1 year ago
I passed the exam. On this question I kept it simple by using the following 4 commands. I tested these commands on my home lab prior to taking the test: 1) sudo systemctl list-unit-files | grep -i service 2) sudo systemctl status malicious.service 3) sudo kill -9 <PID> 4) sudo systemctl disable malicious.service 1) sudo systemctl list-unit-files | grep -i service (this command displays the services. malicious.service is the service you will be working with) 2) sudo systemctl status malicious.service (this command provides the PID for the process you need to terminate on the next step) 3) sudo kill -9 <PID> (Once you have the PID of the process you want to terminate, you can use the kill command to signal the process.) 4) sudo systemctl disable malicious.service (this command will disable the service)
upvoted 7 times
PluDou
4 months, 2 weeks ago
This works and easy to remember
upvoted 1 times
...
D1960
10 months, 2 weeks ago
prossible problem with "sudo systemctl list-unit-files | grep -i service" is: you may get an awful lot of services listed, and the service name may not be malicious.service. From what I have been reading here the service name maybe: servicename, sevice.service, or malicious.service; or - who knows? - it may be something else. It may be the test uses a lot of different names.
upvoted 1 times
...
...
Uncle_Lucifer
1 year, 3 months ago
Here is the real deal after taking the exam. Don't waste your time with the "sudo kill -9 <PID NUM>". You will kill the process, but the systemd exploit will create another spun with a different PID. If you think I am lying after the kill command, type "sudo netstat -nltp" and enter, you will see the respawned system process with new PID. Pretty much all you need to kill the process is "sudo systemctl stop <servicename.service>" To disable and remove the exploit, just used the disable command: "sudo systemctl disable <servicename.service>". This will disable and auto delete/remove the folders. You don't have to manually delete the folders as specified by others here using rm command. It is done automatically and you will see the rm auto generated command in the window after disable command.
upvoted 6 times
Uncle_Lucifer
1 year, 3 months ago
To verify the removal simply reboot with "sudo reboot -n". Login again and : use "sudo netstat -nltp" to verify process didn't spun use "sudo systemctl --type=service --state=active" to verify service is disabled. You want to verify exploit exist in both process and services. If you wan to know what the exploit is, use "sudo netstat -nltp | grep systemd". Whatever process name you see there, map it to the closest name in the service. the service name is processname + more characters. Don't forget sudo for all commands. Don't forget to reference service names with "*.service", where * is the service name
upvoted 3 times
...
Uncle_Lucifer
1 year, 3 months ago
servicename - is the name of the exploit service name
upvoted 1 times
...
...
pawnpusher
1 year, 3 months ago
Took test today, Some of the info in the provided answers to this Q are wrong. 1) sudo netstat -nltp 2) sudo lsof +M (You will see the service here its pretty obvious) 3) sudo systemctl status <service name> Get the PID here 4) sudo kill -9 <PID> 5) sudo systemctl stop <service name> 6) sudo systemctl disable <service name> 7) Run nmap for the hell of it to see if malicious service is still listening or do this at begining. sudo nmap -T Aggressive -A -v 127.0.0.1 -p 1-65000
upvoted 4 times
Uncle_Lucifer
1 year, 3 months ago
Just as you called the wrong steps in others i will call yours out as well: #4 kill command will not be sufficient to kill the process, the exploit till respun with different PID. You are lucky that #5 solved the task to kill the process. Yes stop command is what killed the process. I verified it today.
upvoted 3 times
...
...
[Removed]
1 year, 6 months ago
look for "malicious.service"
upvoted 5 times
...
BLADESWIFTKNIFE
1 year, 9 months ago
Instead of giving everyone headches by writing a huge parapgraph. Can someone just give us straight up commands. Enough flooding this page and go like this example: 1. sudo netstat -ntlp 2. sudo lsof -i 3. ETC ETC
upvoted 5 times
MikeyMaster
1 year, 7 months ago
$sudo netstat -nltp $sudo lsof -i : <port> $sudo systemctl --type=service | grep systemd-resolve.service $sudo status systemd-resolve.service $sudo kill -9 <pid> $sudo systemctl disable systemd-resolve.service $sudo systemctl stop systemd-resolve.service $sudo netstat -nltp let me know if this is good.
upvoted 13 times
MostofMichelle
1 year, 3 months ago
You rock Mikey!
upvoted 1 times
...
...
...
bobby44
1 year, 9 months ago
Every time I try the command $sudo systemctl stop after kill-9 it says the service isn't loaded. This is in my home lab. What's going on here?
upvoted 1 times
...
bobby44
1 year, 9 months ago
netstat -ntlp or even sudo netstat -ntlp doesn't seem to show me any PID...will Ubuntu show that or does it have to be some other flavor of Linux...new to Linux...thanks
upvoted 1 times
...
ToneBar
1 year, 9 months ago
Just passed this exam. Had this question, take your time and follow the examples on these posts. I used @dagerelchulo notes to help me out. Also, I used pass for sure prior to this and I bombed the test. Used this website, spot on.
upvoted 6 times
...
jekster
1 year, 10 months ago
Passed it on the first try. Follow dangerelchulo's instructions for this. Just memorize them and then dump them onto the whiteboard they give you. The new questions that they added from page 40 and on were on my test. Almost all of them. There were eightish questions I've never seen anywhere
upvoted 4 times
FOURDUE
1 year, 10 months ago
thank you, jekster.. i test tomorrow and have been practicing like hell to get these commands down.
upvoted 3 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago