Exam CS0-002 topic 1 question 14 discussion

The correct answer to the question is Server 4 & the process infected is Svchost.exe. Explanation:- The IPs are within the RFC1918 class B range of 172.16.0.0 – 172.31.255.255 Both Servers 1 & 4 (internal) have the same communication with the same IPs for the same RDP(Remote Desktop Protocol [responsible for remote connecting to servers or computers with the same Windows OS]) which shows the system administrator remotely manages them A connection between Server 1 & 4 is established with notepad.exe on server1 is connecting to port 443 on server 4 As per the question from a logical perspective, the server can be the web server where svchost.exe is listening to a different port rather than 443 & server 1(on DMZ) is trying to access the internal network on Server4 [which is malicious]

Got this one today!! Used Server 1 and notepad.exe. I didnt fail any pbqs...thanks for the deliberations fellas

Server 4 -> C2 (via svchost.exe) Server 4 -> Server 1 (connection established from svchost.exe to notepad.exe via process injection) Server 1 -> C2 (via notepad.exe, still through the injected process) The attacker malware is pivoting from Server 4 to Server 1 through process injection. Svchost.exe from server 4 is malware as it's the source of infection.

Despite instantly rejecting the idea of notepad being responsible for network connections, I did some research about this matter since there is so much divergence between Server 1 - notepad.exe and Server 4 - svchost.exe. I could be wrong and would gladly accept any corrections, but I have to say that I'd opt for the one with the notepad occurrence because of the following explanation: Even though Notepad could use HTTPS (443) for its traffic, it wouldn't run as a service but as a console. You can test it yourself by opening some URL and URI. Anyway, it isn't common for this process to make network connections, and to run as a service it would have to be previously configured to do so. Cobalt Strike and the Metasploit Framework use notepad.exe as a default process to spawn and inject into, as can be corroborated by their documentation and code. Due to its high presence on Windows, notepad can often be used as the target for PE Forti.SIEM has an integrated rule (medium severity) that triggers when there's any connection specifically made by the notepad process.

I am surprised no one has mentioned Metasploit and Meterpreter. You (as students) should use these tools and see what is possible. It is possible to get a foothold onto a system and then move the malicious process to another service. I have personally moved the malicious process to Notepad and executed actions on the local system and network.

I don't think it's notepad.exe https://www.file.net/process/notepad.exe.html

This was one of the PBQ's on my exam - 10/12/23.

Server4 192.168.50.6 Server1 10.1.1.1 10.1.1.2:57433 >> 192.168.50.6:433 PID 1276 (notpad.exe) 192.168.50.6:433 << 10.1.1.2:57433 PID 348 (svchost.exe) Answer is Server4 (svchost.exe)

This question and #321 are duplicates. This question has the proper exhibits where 321 does not. The conclusion from both discussions is that Server4 and Svchost.exe are correct.

Passed it the other day, this one was in it. I selected Server 4, svchost.exe. Read the question carefully, it asks specifically which server & process HOSTS the malware. Realistically you'd select both, but you can only choose one. Then why serv 4 svchost and not serv 1 notepad its counter part? Simple. It asks who hosts the malware, it has to be server 4 because even if notepad was malware of some kind on server 1 it shouldn't ever be able to talk to a server in the internal network without some compromise on that end. It has to cross the DMZ barrier. Being port 443 this looks like a reverse shell, where they've chosen port 443 to obfuscate it

Server 1 and Notepad is the correct answer. Notepad should be running as a console if it was legitimate.

Server1 nodepad.exe because notepad.exe is not a service, it would run as console.

People, the question is why would notepad process be communicating out to another host…OVER BL**DY 443….BRAAAAAAA THATS SUSPICIOUS ENOUGH FOR ME MATE

Fellas. All you need to remember is that svhost.exe is an executable that Windows use to aggregate a lot services that need access to the same Dynamic Link Libraries (DLL) to run processes, hence svchost.exe could be masqueraded as a virus, it is not in this instance. Now, understand that notepad,msword, pdf,jpeg, pnf or something of that nature is not an executable hence if you see something like that running on your system as an executable, it is a clear indicator of compromise, and you should further look into it. Therefore Server1 has been compromised.

I am still mulling over this one, but here is more discussions in case anyone wanted to read more. https://www.examtopics.com/discussions/comptia/view/20574-exam-cs0-001-topic-1-question-141-discussion/

the answer is server 2 and csrss.exe . it is running as multiple application on server 2

server 4 and svchost,exe