Exam 350-201 topic 1 question 35 discussion

ChatGPT: The suspicious WebSocket connection initiated by the Google Chrome extension combined with obfuscated payloads is indicative of malware trying to hide its communication with a command and control server. This suggests malicious activity rather than legitimate behavior.

The STIX (Structured Threat Information eXpression) in the context of the exhibit indicates a scenario where a Google Chrome extension is initiating direct IP connections using the WebSocket protocol, and the payloads are obfuscated and unreadable. This behavior is suspicious and suggests that the extension could be a front for malware that is using encrypted channels to communicate with a command and control server. The use of WebSockets and the obfuscation of payloads are common tactics used by malware authors to evade detection and maintain persistent control over compromised systems. The fact that the payloads cannot be decoded or read as UTF-8 text further supports the likelihood of malicious activity, as legitimate extensions would not typically need to obfuscate their communications.

Without more information, it is difficult to determine the exact meaning of the STIX. However, the fact that direct IP connections are being initiated by a Google Chrome extension using the WebSocket protocol and that the message payloads are obfuscated and unreadable could indicate a possible data exfiltration or command and control communication. The obfuscation of payloads is a common technique used by malware to avoid detection and evade analysis. Therefore, option D, "There is malware that is communicating via encrypted channels to the command and control server," is a plausible interpretation of the situation. However, further analysis would be required to confirm this. - ChatGPT

C is correct https://www.extrahop.com/company/blog/2019/investigating-fake-chrome-extension-postman-part-1/

For WebSocket communications, UTF-8 must be used over the wire for textual data (most Internet protocols use UTF-8 nowadays). That is dictated by the WebSocket protocol specification: After a successful handshake, clients and servers transfer data back and forth in conceptual units referred to in this specification as "messages".

1Normally the connection is only over 80 or 443. 2The encoded not looks like UTF-8 3This looking like malicious request, the port is different Answer would be C

https://www.extrahop.com/company/blog/2019/investigating-fake-chrome-extension-postman-part-1/ I will the correct answer is C

Go to your extension settings, these can have regular updates. Websocket protocol can use TLS so encrypted traffic is most not an IoC. The traffic from websocket is masked to avoid problems with devices that do not understand the protocol. Answer is: B

I agree, D is correct.

I think D is the correct answer.