ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-003 All Questions

View all questions & answers for the CS0-003 exam
Go to Exam

Exam CS0-003 topic 1 question 56 discussion

Actual exam question from CompTIA's CS0-003
Question #: 56
Topic #: 1
[All CS0-003 Questions]

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

  • A. C2 beaconing activity
  • B. Data exfiltration
  • C. Anomalous activity on unexpected ports
  • D. Network host IP address scanning
  • E. A rogue network device
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by nmap_king_22 at Sept. 5, 2023, 4:14 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
captaintoadyo
Highly Voted 1 year ago
Selected Answer: A
Be careful its easy to pick answer B - data exfiltration but this is incorrect, the scenario doesn't explicitly mention the nature of the outgoing traffic or whether sensitive data is involved. It simply states that there are regular outgoing HTTPS connections to a public IP address, both during and after work hours.
upvoted 13 times
...
ares1027
Highly Voted 1 year, 6 months ago
The 2 possibilities are A or B. The scenario indicates 'persistence' , 24 hour traffic with a public IP address. Also the traffic flow is outbound from the network. Persistence implies a C2 has been established. The outbound traffic suggests data being exfiltrated. Although both the presence of a C2 and outbound traffic exists, I would choose C2. The C2 had to exist before data could be exfiltrated.
upvoted 5 times
...
Lilik
Most Recent 8 months, 3 weeks ago
A is correct. Beaconing is a means for a network node to advertise its presence and establish a link with other nodes.
upvoted 1 times
...
[Removed]
1 year, 5 months ago
Selected Answer: A
I agree with ares1027. Yes, it's coming from a data center, but C&C has to exist prior to Data exfil. Also, HTTPS would not be the protocol for data exfil.
upvoted 3 times
...
danscbe
1 year, 7 months ago
Selected Answer: A
There are only two possibilities: A or B. The answer is not B as we are not given any indication of data being moved out of the organization's environment. If one wanted to exfiltrate data, it isn't plausible to do it via HTTP or HTTPS. When we consider the frequent ping-like behavior happing around the clock, it is beaconing.
upvoted 4 times
...
[Removed]
1 year, 7 months ago
Selected Answer: B
Regular outgoing HTTPS connections, especially to a public IP address, from a server that should not be communicating outbound is indicative of data exfiltration activity. The fact that this occurs consistently during and after work hours strengthens this conclusion. A) C2 beaconing would likely be more intermittent than a continuous pattern. C) The traffic is over expected HTTPS ports rather than unexpected ports. D) Host scanning would be unlikely to result in persistent flows to one IP. E) A rogue device is less likely than malicious data theft activity. Based on the CompTIA CySA+ CS0-003 exam objectives, specifically domain 1.2 Analyze indicators of potentially malicious activity, the best answer is B - Data exfiltration.
upvoted 1 times
kmordalv
1 year, 6 months ago
Beaconing activity (sometimes a heartbeat) is activity sent to a C&C system as part of a botnet or malware remote control system and is typically sent as either HTTP or HTTPS traffic. Beaconing can request commands, provide status, download additional malware, or perform other actions. Since beaconing is often encrypted and blends in with other web traffic, it can be difficult to identify, but detecting beaconing behavior is a critical part of detecting malware infections. (CompTIA CySA+ Study Guide Exam CS0-003 (Sybex) Chapter 3)
upvoted 2 times
...
...
kmordalv
1 year, 8 months ago
Selected Answer: A
The most likely explanation for this traffic pattern is C2 beaconing activity. C2 beaconing activity is a type of network traffic that indicates a compromised system is sending periodic messages or signals to an attacker’s system using various protocols, such as HTTP(S), DNS, ICMP, or UDP.
upvoted 2 times
...
nmap_king_22
1 year, 8 months ago
Selected Answer: A
The most likely explanation for the regular outgoing HTTPS connections from a data-center server to a public IP address, both during after-hours and work hours, is: A. C2 beaconing activity Explanation: "C2" stands for "Command and Control." C2 beaconing is a behavior associated with malware or compromised systems, where the infected system regularly communicates with a remote command and control server. This communication is often used by attackers to maintain control over the compromised system, receive instructions, or exfiltrate data
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago