Exam CS0-002 All Questions

View all questions & answers for the CS0-002 exam

Exam CS0-002 topic 1 question 269 discussion

Actual exam question from CompTIA's CS0-002

Question #: 269
Topic #: 1

Law enforcement officials have notified an organization that one of its internal servers is suspected of being a command-and-control server for a malicious botnet. The organization's security analyst has been tasked with analyzing the internal server for indications of compromise. During the investigation, the analyst reviews the processes running on the server and sees the following:

Which of the following processes warrants further investigation?

A. cmd.exe
B. iexplore
C. nc.exe
D. notepad.exe

Show Suggested Answer

Suggested Answer: C 🗳️

by gnnggnnggnng at Feb. 3, 2023, 10:34 p.m.

Comments

Submit Cancel

db97

Highly Voted 2 years, 2 months ago

nc.exe = ncat = reverse shell. Going with C here.

upvoted 6 times

2Fish

2 years, 1 month ago

Agree. That netcat looks super sketchy.

upvoted 1 times

...

encxorblood

Highly Voted 2 years, 2 months ago

Selected Answer: C

The process that warrants further investigation, based on the information provided in the scenario, is option C, nc.exe. nc.exe is a network utility that is commonly used as a backdoor by attackers to gain remote access to a compromised system. The fact that nc.exe is running on the server, in combination with the suspicion that the server is being used as a command-and-control server for a malicious botnet, suggests that this process may be an indicator of compromise.

upvoted 5 times

...

chuck165

Most Recent 2 years, 2 months ago

B. IE should have name associated with it. For the others, john opened cmd, ran the nc command and then notepad to save the results.

upvoted 3 times

khrid4

2 years ago

Checking CPU Time, nc.exe started first before cmd.exe and iexplore and notepad. Hence nc.exe should be investigated for reverse shell.

upvoted 5 times

NerdAlert