HOTSPOT
-
You are a security administrator investigating a potential infection on a network.
INSTRUCTIONS
-
Click on each host and firewall. Review all logs to determine which host originated the infection and then identify if each remaining host is clean or infected.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
192.168.10.22 - origin - scans disabled on this host by svchost 192.168.10.37 - clean - scan found and quarantined svchost 192.168.10.41 - infected - heuristic pattern match but failed to quarantine svchost 10.10.9.12 - clean - scan found and quarantined svchost 10.10.9.18 - infected - heuristic pattern match but failed to quarantine svchost I came to this conclusion for origin because the time stamp on this host disabling its scan is 14:31. This is also the time it opened a connection to an 8080 HTTP port. All other hosts scans detected svchost at the exact same time of 14:37:37. The two infected computers opened connections over 8080 a few minutes later. So based on the logs, the timeframes, and the port connections, 22 would have been the first one making it the origin. If someone's got better let me know.
10.10.9.18 looks like originator - it's the very first host to connect to the nasty IP (57.203.54.*) range.
192.168.10.22 is the first to be successfully infected, but it doesn't mean it's the originator. If it were me, I'd start w/the first machines tapping that address range.
"originated the infection" -- kind of vague, but perhaps they do mean the first spreader.
Passed my test with a score of 821 yesterday. All PBQs and 95% of the questions were from this dump. Review the last 250 or so questions closely. Can't overstate how helpful this site (and you all) were. Good luck guys!
Seems like the logs can be found here https://www.dumpspedia.com/sy0-601-comptia-securityp-exam-2021-dumps.html Question147 192.168.10.22 - infected - scan disabled (infected) 192.168.10.37 - infected file quarenteened (Clean) 192.168.10.41 - infected - heuristic pattern match but unable to quarenteen file (Infected?) Firewall - 192.168.10.41 intiated smbv1 on port 445 to 10.10.9.12 (I would say 192.168.10.41 is the origin) - not sure if you can select two options on a single host 10.10.9.12 - infected file found and quarenteened (clean) 10.10.9.18 - infected - heuristic pattern match but unable to quarenteen file (Infected?) Which conflicts with the answer explanation at the site above
Referring the logs from the below URL/link provided by @Rowdy_47: https://www.dumpspedia.com/sy0-601-comptia-securityp-exam-2021-dumps.html Answer should be: 192.168.10.22 – Origin & Infected 192.168.10.41 & 10.10.9.18 – Infected 192.168.10.37 & 10.10.9.12 - Clean Correct me, if I am wrong.
I went over the same logs and I agree with you.
Passed my exam this morning, this simulation was there. I chose what Narobi added. When I opened the PC I was able to confirm the findings by scrolling all the way to the bottom where some clearly showed "quarantined".
What is origin? And where are the logs from the servers and firewall? How did some of you answered the question without any provided information?
where are the details of the question. How do I view the logs
Was on the exam today. My first PBQ
Heads up. 80% of the Questions I had were from 700-849, including the PBQs 156, 731,733 & 734
It's on SY0-601 or SY0-701?
This was on the exam 1/21/24
04/09/24 this question was on the exam. I have a free account so I only went up to 400 questions barely any of those MQ's showed up. I highly suggest you go over the comments and understand it to apply logic.
Just passed the exam. PBQ 153, 731, 733, 734 were on there.
It's on SY0-601 or SY0-701?
192.168.10.22 – Origin & Infected 10.10.9.18 – Infected 192.168.10.37 & 10.10.9.12 & 192.168.10.41- Clean
Actually, 192.168.10.41 looks like it's infested as well. So i would amend my answer to: 192.168.10.22 – Origin & Infected 10.10.9.18 & 192.168.10.41– Infected 192.168.10.37 & 10.10.9.12 - Clean
There is some missing info with this question.
I found log pics here: https://www.dumpspedia.com/sy0-601-comptia-securityp-exam-2021-dumps.html Q 147
This was on my exam 29.12.23
Based on the logs, it seems that the host that originated the infection is 192.168.10.22. This host has a suspicious process named svchost.exe running on port 443, which is unusual for a Windows service. It also has a large number of outbound connections to different IP addresses on port 443, indicating that it is part of a botnet. The firewall log shows that this host has been communicating with 10.10.9.18, which is another infected host on the engineering network. This host also has a suspicious process named svchost.exe running on port 443, and a large number of outbound connections to different IP addresses on port 443. The other hosts on the R&D network (192.168.10.37 and 192.168.10.41) are clean, as they do not have any suspicious processes or connections.
I am not able to locate the logs. Could any one can post here for reference?
https://www.examtopics.com/discussions/comptia/view/140250-exam-sy0-701-topic-1-question-77-discussion/
the hard part, initially, was finding the origin. At first I thought it was 10.10.9.18 since it connected to the nasty server first in the log, however, the first address (in the log) to connect using RPC (a vector found on MS systems) was 192.168.10.22 to 10.10.9.12, then 10.10.9.12 via rpc to 192.168.10.41 The only thing weird is that 10.10.9.18 made an RPC connection, but had not been tapped by 192.168.10.22 first (meaning it had to already be infected). Hmmm. Maybe I'm wrong again.