ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-003 All Questions

View all questions & answers for the CS0-003 exam
Go to Exam

Exam CS0-003 topic 1 question 257 discussion

Actual exam question from CompTIA's CS0-003
Question #: 257
Topic #: 1
[All CS0-003 Questions]

A threat hunter seeks to identify new persistence mechanisms installed in an organization’s environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:



Which of the following actions should the hunter perform first based on the details above?

  • A. Acquire a copy of taskhw.exe from the impacted host.
  • B. Scan the enterprise to identify other systems with taskhdw.exe present.
  • C. Perform a public search for malware reports on the taskhw.exe.
  • D. Change the account that runs the taskhw.exe scheduled task.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Chiniwini at July 28, 2024, 5:24 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Chiniwini
Highly Voted 11 months ago
Selected Answer: A
The fact that "UpdateService" is the only task running under a user account (PROD\sam) and located in a suspicious directory (C:\Users\sam\AppData\Roaming\Temp\taskhw.exe), the first action the hunter should perform is to acquire a copy of taskhw.exe from the impacted host. The first step should be to acquire a copy of taskhw.exe from the impacted host for analysis. This will allow the threat hunter to determine if the file is malicious and understand its behavior, which is crucial for planning further actions.
upvoted 13 times
...
Gabuu
Highly Voted 10 months, 2 weeks ago
Selected Answer: C
The first step should be to perform a public search for malware reports on taskhw.exe, as this file is suspicious for several reasons: it is located in a non-standard path, it has a high CPU usage, it is signed by an unknown entity, and it is only present on one host. A public search can help to determine if this file is a known malware or a legitimate program. If it is malware, the hunter can then take appropriate actions to remove it and prevent further damage. The other options are either premature or ineffective, as they do not provide enough information to assess the threat level of taskhw.exe. References: Cybersecurity Analyst+ - CompTIA, taskhw.exe Windows process - What is it? - file.net, Taskhostw.exe - What Is Taskhostw.exe & Is It Malware? - MalwareTips Forums
upvoted 7 times
ChopSNap
7 months, 1 week ago
I don't believe this is a good first option. Malware authors can spoof the name of legitimate Windows processes to obfuscate what they are trying to do.
upvoted 1 times
ybyttv
2 weeks, 6 days ago
it costs 5 minutes to search the internet for this file name for information. If it's a positive, that's almost 100% true positive and remember it only cost 5 minutes; Then you can take other action like to get the executable and hash it and send to totalvirus for analyze. A needs get the copy, which is probably 30 minutes, then do analyze...... which take another 10 - 120 minutes
upvoted 1 times
...
...
voiddraco
10 months, 1 week ago
i agree.
upvoted 3 times
...
...
TurboMor
Most Recent 10 months ago
Selected Answer: A
The name, path and user of the task are more than enough to determine that this is most likely a malware file. Doing a public search of the name of the file before acquiring a copy of the file will only make you lose time, the name of the file in this case is too generic to obtain relevant results.
upvoted 7 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel