SIMULATION -
Malware is suspected on a server in the environment.
The analyst is provided with the output of commands from servers in the environment and needs to review all output files in order to determine which process running on one of the servers may be malware.
INSTRUCTIONS -
Servers 1, 2, and 4 are clickable. Select the Server and the process that host the malware.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
See explanation below.
Server 4, Svchost.exe -
The correct answer to the question is Server 4 & the process infected is Svchost.exe. Explanation:- The IPs are within the RFC1918 class B range of 172.16.0.0 – 172.31.255.255 Both Servers 1 & 4 (internal) have the same communication with the same IPs for the same RDP(Remote Desktop Protocol [responsible for remote connecting to servers or computers with the same Windows OS]) which shows the system administrator remotely manages them A connection between Server 1 & 4 is established with notepad.exe on server1 is connecting to port 443 on server 4 As per the question from a logical perspective, the server can be the web server where svchost.exe is listening to a different port rather than 443 & server 1(on DMZ) is trying to access the internal network on Server4 [which is malicious]
I think someone finally has the right answer with explanation here. Seems to be the only thing that makes sense. Thank you for the detailed explanation.
Got this one today!! Used Server 1 and notepad.exe. I didnt fail any pbqs...thanks for the deliberations fellas
I understand server 1 & 4 but I'm having trouble finding an explanation for server 2 if you could help me out.
how can you tell you didnt fail any pbqs?!
It seems if you fail the exam, the exam will tell you at the end what questions you failed on.
no, it just says how well you did on different topics / exam objectives, not specific questions
Passed it the other day, this one was in it. I selected Server 4, svchost.exe. Read the question carefully, it asks specifically which server & process HOSTS the malware. Realistically you'd select both, but you can only choose one. Then why serv 4 svchost and not serv 1 notepad its counter part? Simple. It asks who hosts the malware, it has to be server 4 because even if notepad was malware of some kind on server 1 it shouldn't ever be able to talk to a server in the internal network without some compromise on that end. It has to cross the DMZ barrier. Being port 443 this looks like a reverse shell, where they've chosen port 443 to obfuscate it
People, the question is why would notepad process be communicating out to another host…OVER BL**DY 443….BRAAAAAAA THATS SUSPICIOUS ENOUGH FOR ME MATE
Server4 192.168.50.6 Server1 10.1.1.1 10.1.1.2:57433 >> 192.168.50.6:433 PID 1276 (notpad.exe) 192.168.50.6:433 << 10.1.1.2:57433 PID 348 (svchost.exe) Answer is Server4 (svchost.exe)
This was one of the PBQ's on my exam - 10/12/23.
I am still mulling over this one, but here is more discussions in case anyone wanted to read more. https://www.examtopics.com/discussions/comptia/view/20574-exam-cs0-001-topic-1-question-141-discussion/
I dug into this further, mostly because it was nagging at me. Notepad is legit, its being pulled over the network from 1 server to the other. I simulated it at my job to see and it looked similar enough for me to discredit it
Server 1 and Notepad is the correct answer. Notepad should be running as a console if it was legitimate.
notepad appearing as a service in task manager is not considered malware, it is a legitimate system process running in background as a service for other applications or processes. This is usually found in situations where Notepad is being used as part of a larger system or software component, and is not meant to be interacted with directly by the user.
Server1 nodepad.exe because notepad.exe is not a service, it would run as console.
Fellas. All you need to remember is that svhost.exe is an executable that Windows use to aggregate a lot services that need access to the same Dynamic Link Libraries (DLL) to run processes, hence svchost.exe could be masqueraded as a virus, it is not in this instance. Now, understand that notepad,msword, pdf,jpeg, pnf or something of that nature is not an executable hence if you see something like that running on your system as an executable, it is a clear indicator of compromise, and you should further look into it. Therefore Server1 has been compromised.
Despite instantly rejecting the idea of notepad being responsible for network connections, I did some research about this matter since there is so much divergence between Server 1 - notepad.exe and Server 4 - svchost.exe. I could be wrong and would gladly accept any corrections, but I have to say that I'd opt for the one with the notepad occurrence because of the following explanation: Even though Notepad could use HTTPS (443) for its traffic, it wouldn't run as a service but as a console. You can test it yourself by opening some URL and URI. Anyway, it isn't common for this process to make network connections, and to run as a service it would have to be previously configured to do so. Cobalt Strike and the Metasploit Framework use notepad.exe as a default process to spawn and inject into, as can be corroborated by their documentation and code. Due to its high presence on Windows, notepad can often be used as the target for PE Forti.SIEM has an integrated rule (medium severity) that triggers when there's any connection specifically made by the notepad process.
I am surprised no one has mentioned Metasploit and Meterpreter. You (as students) should use these tools and see what is possible. It is possible to get a foothold onto a system and then move the malicious process to another service. I have personally moved the malicious process to Notepad and executed actions on the local system and network.
I don't think it's notepad.exe https://www.file.net/process/notepad.exe.html
This question and #321 are duplicates. This question has the proper exhibits where 321 does not. The conclusion from both discussions is that Server4 and Svchost.exe are correct.
the answer is server 2 and csrss.exe . it is running as multiple application on server 2
that's normal
server 4 and svchost,exe