Exam CS0-002 topic 1 question 97 discussion

Well, the question states "which of the following should the analyst do NEXT to further the investigation?" Answers A and and C are actions to kill 1325 or remove the malware, but the question says what to do next to further the "investigation". I'm going with answer B

A. We dont know what that is yet. B. Examine the server logs for further indicators of compromise of a web application. C. We dont know the amount of resources being used. D. None of the netstat pids match.

Here's the breakdown of why this is the most appropriate next step: 1. The uptime command shows a very high load average, indicating that the server is under significant stress. A high load average can be a sign of a rogue process consuming system resources. 2. The crontab -1 command reveals a suspicious cron job running every minute, executing the /tmp/.t/t file. This is unusual and could indicate malicious activity. 3. The ps command shows a process with the ID 1325 running /tmp/.t/t. This process appears suspicious and may be the source of the high load average.

I will go for D, below is my reasoning A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system. --> This is more like mitigating the problem not INVESTIGATING it. B. Examine the server logs for further indicators of compromise of a web application. --> Could be possible answer C. Run kill -9 1325 to bring the load average down so the server is usable again. --> Again this will mitigate the problem. However, the malware will run again since thr cron job scheduled to run each minute. D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server. --> I will go to this option, since you have malicious file next step is to decide if it's malicious or not and figure out what it does in the system

CHAT GPT Based on the output from the commands, the analyst has identified a suspicious file, /tmp/.t/t, which is running as a process with the PID 1325. The file command shows that it is a binary file. Therefore, the NEXT step the analyst should take to further the investigation is to perform a binary analysis on the file. This may involve examining the file's behavior, determining its origin, and identifying any associated threats or malware. It is important to do this analysis carefully, as malware can be designed to evade detection and removal attempts. Once the analyst has identified the nature of the threat, they can take appropriate action to contain and remediate the issue.

B. is correct as we are advancing the investigation

B seems the most likely

looks good to me

Public facing and SSH to private, check the logs

B is correct.

It clearly states public facing, and SSH to a private 172.168.*.* address is internal LAN traffic. I'm going to check logs for further IOC.

B is correct

B is correct

send me a mail ryan23680 at yahoo for new Cysa+ cs0-002 questions and we can find the correct answers together.

I would do A first. The cronjob is running every minute, and every minute that goes by, is another minute of suspected malicious activity. I would stop the malicious activity first before attempting to examine server logs. Note also the .t folder is a hidden folder, which would add to the suspicion of why a cronjob would be running something that is in a hidden folder. And note the established ssh session, which likely means a backdoor exists to the system, and the cronjob likely ensures the persistent connection for the malicious entity.