Exam CAS-004 All QuestionsBrowse all questions from this exam
Go to Exam
Question 146

SIMULATION -

You are about to enter the virtual environment.

Once you have completed the item in the virtual environment, you will NOT be allowed to return to this item.

Click Next to continue.

Question and Instructions -

DO NOT perform the following actions within the virtual environment. Making any of these changes will cause the virtual environment to fail and prevent proper scoring.

1. Disabling ssh

2. Disabling systemd

3. Altering the network adapter 172.162.0.0

4. Changing the password in the lab admin account

Once you have completed the item in the virtual environment. you will NOT be allowed to return to this item.

TEST QUESTION -

This system was recently patched following the exploitation of a vulnerability by an attacker to enable data exfiltration.

Despite the vulnerability being patched, it is likely that a malicious TCP service is still running and the adversary has achieved persistence by creating a systemd service.

Examples of commands to use:

kill, killall

lsof

man, --help (use for assistance)

netstat (useful flags: a, n, g, u)

ps (useful flag: a)

systemctl (to control systemd)

Please note: the list of commands shown above is not exhaustive. All native commands are available.

INSTRUSTIONS -

Using the following credentials:

Username: labXXXadmin -

Password: XXXyyYzz!

Investigate to identify indicators of compromise and then remediate them. You will need to make at least two changes:

1. End the compromised process that is using a malicious TCP service.

2. Remove the malicious persistence agent by disabling the service's ability to start on boot.

    Correct Answer:

    To identify and remediate the malicious TCP service on a Linux system, follow these steps in the terminal using the provided credentials. First, gain insight into all listening TCP ports with associated process IDs (PIDs) by using the command 'sudo netstat -nltp'. This will help you find any suspicious services. To get more details about a specific port, use 'sudo lsof -i :[port number]'. After identifying the malicious service, you can find its detailed status including the PID with 'sudo systemctl status [service name]'. To kill the process, use 'sudo kill -9 [PID]'. Lastly, disable the service to prevent it from running on startup with 'sudo systemctl disable [service name]' and 'sudo systemctl stop [service name]'. Verify that the service is no longer active by re-running 'sudo netstat -nltp' and checking 'sudo systemctl status [service name]'. This thorough process ensures that active malicious services and their persistent reactivations on boot are adequately addressed.

Discussion
dangerelchulo

Passed the TEST. Use sudo before any command the password is the same password provided, everything in <> is not part of the command is variable. Sudo will show you every detail you need. First command $sudo netstat -nltp, this will show you ip, port, pid, name of task. For added value you can also run $sudo lsof -i :<port>. Now you need to find the service so you use $sudo systemctl --type=service | grep <name of task>, this will give you <something>.service my was <something>-resolve.service forgot the full name. Suggest you do a $sudo systemctl status <full name service> to compare. After all that lets kill it all, First kill the pid $sudo kill -9 <pid>. Then lets complete the second part $sudo systemctl stop <full name service>, follow by $sudo systemctl disable <full name service>. Now for the cream on the top you verify that is gone $sudo netstat -nltp and $sudo systemctl status <full name service>. That is it good luck everyone.

youngprinceton

did you pass with the answers from here?

dangerelchulo

the question and answers are correct, the choices are not. I had to build my own dataset with correct answers. I paid for the comptia package so I just checked some of the questions against their own book and the answer was obvious

youngprinceton

how can i reach out to you and can you please be better detailed in the commands needed for the sim? I was honestly confused a bit by what you wrote cause i need to know exactly whats needed

youngprinceton

also when you are saying name of task what will the name of task be

23169fd

$sudo netstat -nltp $sudo lsof -i :<port> $sudo kill <PID> $sudo systemctl list-units --type=service $sudo systemctl disable malicious_service $sudo systemctl stop malicious_service $sudo rm /etc/systemd/system/malicious_service.service

Broesweelies

1)Use the sudo netstat -nltp command to list all listening TCP and UDP ports, along with their associated process IDs and names. 2)Use the sudo lsof -i :<port> command to get more information about the process running on a specific port. 3)Use the sudo systemctl --type=service | grep <name of task> command to find the name of the service associated with the compromised process. 4)Use the sudo systemctl status <full name service> command to verify the status of the service and confirm that it is the correct one. 5) Use the sudo kill -9 <pid> command to kill the compromised process identified earlier. 6) Use the sudo systemctl stop <full name service> command to stop the service. 7) Use the sudo systemctl disable <full name service> command to prevent the service from starting automatically on boot. 8) Use the sudo netstat -nltp command and sudo systemctl status <full name service> command to confirm that the compromised process and service are no longer running.

joinedatthehop

I passed the exam. On this question I kept it simple by using the following 4 commands. I tested these commands on my home lab prior to taking the test: 1) sudo systemctl list-unit-files | grep -i service 2) sudo systemctl status malicious.service 3) sudo kill -9 <PID> 4) sudo systemctl disable malicious.service 1) sudo systemctl list-unit-files | grep -i service (this command displays the services. malicious.service is the service you will be working with) 2) sudo systemctl status malicious.service (this command provides the PID for the process you need to terminate on the next step) 3) sudo kill -9 <PID> (Once you have the PID of the process you want to terminate, you can use the kill command to signal the process.) 4) sudo systemctl disable malicious.service (this command will disable the service)

D1960

prossible problem with "sudo systemctl list-unit-files | grep -i service" is: you may get an awful lot of services listed, and the service name may not be malicious.service. From what I have been reading here the service name maybe: servicename, sevice.service, or malicious.service; or - who knows? - it may be something else. It may be the test uses a lot of different names.

Uncle_Lucifer

Here is the real deal after taking the exam. Don't waste your time with the "sudo kill -9 <PID NUM>". You will kill the process, but the systemd exploit will create another spun with a different PID. If you think I am lying after the kill command, type "sudo netstat -nltp" and enter, you will see the respawned system process with new PID. Pretty much all you need to kill the process is "sudo systemctl stop <servicename.service>" To disable and remove the exploit, just used the disable command: "sudo systemctl disable <servicename.service>". This will disable and auto delete/remove the folders. You don't have to manually delete the folders as specified by others here using rm command. It is done automatically and you will see the rm auto generated command in the window after disable command.

Uncle_Lucifer

To verify the removal simply reboot with "sudo reboot -n". Login again and : use "sudo netstat -nltp" to verify process didn't spun use "sudo systemctl --type=service --state=active" to verify service is disabled. You want to verify exploit exist in both process and services. If you wan to know what the exploit is, use "sudo netstat -nltp | grep systemd". Whatever process name you see there, map it to the closest name in the service. the service name is processname + more characters. Don't forget sudo for all commands. Don't forget to reference service names with "*.service", where * is the service name

Uncle_Lucifer

servicename - is the name of the exploit service name

BLADESWIFTKNIFE

Instead of giving everyone headches by writing a huge parapgraph. Can someone just give us straight up commands. Enough flooding this page and go like this example: 1. sudo netstat -ntlp 2. sudo lsof -i 3. ETC ETC

MikeyMaster

$sudo netstat -nltp $sudo lsof -i : <port> $sudo systemctl --type=service | grep systemd-resolve.service $sudo status systemd-resolve.service $sudo kill -9 <pid> $sudo systemctl disable systemd-resolve.service $sudo systemctl stop systemd-resolve.service $sudo netstat -nltp let me know if this is good.

MostofMichelle

You rock Mikey!

ToneBar

Just passed this exam. Had this question, take your time and follow the examples on these posts. I used @dagerelchulo notes to help me out. Also, I used pass for sure prior to this and I bombed the test. Used this website, spot on.

pawnpusher

Took test today, Some of the info in the provided answers to this Q are wrong. 1) sudo netstat -nltp 2) sudo lsof +M (You will see the service here its pretty obvious) 3) sudo systemctl status <service name> Get the PID here 4) sudo kill -9 <PID> 5) sudo systemctl stop <service name> 6) sudo systemctl disable <service name> 7) Run nmap for the hell of it to see if malicious service is still listening or do this at begining. sudo nmap -T Aggressive -A -v 127.0.0.1 -p 1-65000

Uncle_Lucifer

Just as you called the wrong steps in others i will call yours out as well: #4 kill command will not be sufficient to kill the process, the exploit till respun with different PID. You are lucky that #5 solved the task to kill the process. Yes stop command is what killed the process. I verified it today.

[Removed]

look for "malicious.service"

D1960

Why use netstat? Why not just find the service name that does not look right. Reading these replies it seems the service name may be: - service - malicous.service - service.service - servicename So just use: $ sudo systemctl list-unit-files | grep -i service then $ sudo systemctl stop <service> $ sudo systemctl disable <service>

jekster

Passed it on the first try. Follow dangerelchulo's instructions for this. Just memorize them and then dump them onto the whiteboard they give you. The new questions that they added from page 40 and on were on my test. Almost all of them. There were eightish questions I've never seen anywhere

FOURDUE

thank you, jekster.. i test tomorrow and have been practicing like hell to get these commands down.

e4af987

I just took the test. Waiting for results but this simulation screwed me up. I probably should have spent more time on this question. When I practiced this on my own laptop it wasn't an issue - when it came to the simulation I totally forgot everything and had to pass up this simulation. If you hit the Next button - you wont get another chance to do this simulation so you BETTER practice and remember this one!

SirL

hi, was it malicous.service

IT_Master_Tech

Where is the answer?

Waltsthe

Which OS should I be practicing this on? I don't recognize the Linux version.

Delab202

Don't waste your time on long and unneeded commands. Step 1-Sign in using the username and password Step 2- click on terminal icon Step 3- Type this command sudo systemctl status malicious.service The system will show you a bunch of info the key one that you are looking for is the enabled status. close the terminal app. Step 4- Click on terminal again and type sudo systemctl disable malicious.service Step 5- type sudo systemctl status malicious.service The system will show you a bunch of info the key one that you are looking for is the disable status. close the terminal app. You are done. Don't memorize unnecessary commands.

Trap_D0_r

it's not enough to simply disable the service, you also need to stop it currently running. You may want to throw a <sudo systemctl stop malicious.service> as step 4.5.

D1960

How do you know what the "malicious.service" is to begin with?

Anarckii

Sudo netstat -tulpn Sudo lsof -i:<port number> Sudo systemctl list-unit-files –type=service Sudo kill -9 service.service Sudo systemctl stop service.service Sudo systemctl disable service.service Sudo netstat -tulpn Sudo systemctl status service.service

bobby44

Every time I try the command $sudo systemctl stop after kill-9 it says the service isn't loaded. This is in my home lab. What's going on here?

bobby44

netstat -ntlp or even sudo netstat -ntlp doesn't seem to show me any PID...will Ubuntu show that or does it have to be some other flavor of Linux...new to Linux...thanks