Exam CS0-002 topic 1 question 28 discussion

The answer is as shown, this question was on my exam, when you hover over the email link it shows the domain name, you then check which users accessed that domain (There are 7) then you cross reference those with the malicent.exe on SIEM (you cant see cause its a screenshot and you need to scroll) also you can organize the processes alphabetically and you will see 4 users where infected!

First, I somewhat worked out that mailclient.exe was suspicious; it even has '1234' for the target port. And, as mentioned - the phishing e-mail even says "download the latest client here". Apparently others are stating this is even more obvious in the real exam. In any event, with that information alone, that EXE only shows up on the .188 machine. The only request from that machine in the logs is a GET for chzweb.tilapia.com This tells me that is the target URL. From there, you can tell for sure that 7 workstations made requests to that URL.(fell victim to the scam) 192.168.0.134 192.168.0.254 192.168.0.9 192.168.0.70 192.168.0.188 192.168.0.24 192.168.0.132 As for the users infected, that might be easier to verify if the 2 SIEM screenshots weren't identical. Be suspicious of people saying they passed, and what their answer was - but not why it was right or if they had a perfect score. (do they know they got that question right?) I'm a CySA by trade so kinda trusting my gut here.

The answer is correct : 7 click, 4 infected with mailclient.exe, why, because when passing the exam, you just has to count how many time you may find mailclient.exe : 4 times.

Confirmed this was one of the PBQ's on my exam - 10/12/23 - Answered as it is shown

Unrelated to this question.. but I accidentally took CYSA 003 series instead of the 002 and I failed. Not by much (I got a 740). There was a LOT more log interpreting and NIST standard questions. The CYSA 003 also available on this site has about 40% (so far) of those questions.

Hello, I passed yesterday with 793. The answer is 7 clicked, 4 infected and mailclient.exe. why? Three reasons. 1. User Jlee who clicked the phishing link at 4:08 has lsass.exe started at 3:56, and mailclientex started at 4:08 after a few seconds from when he clicked, if you have experience with SIEM you will see this. And 2. When mailclient.exe starts the message is: a new process is created, when lsass.exe starts the message is an account was logged on. 3. Bonus, not all who clicked have lssas.exe. good luck.

MailClient.exe 7 Clicked 4 infected .134 x .254 x .9 x .70 x .188 x .24 x .132 x 4 Logons: cpuziss/ jlee/ asmith/ kmathews (IP's matched those who clicked on the mailclient.exe link)

I am leaning toward 7 clicks, 5 infected, and lasass.exe. Below is my thought process: The common URL in the logs is a GET for chzweb.tilapia.com This tells me that is the target URL. From there, you can tell that 7 workstations made requests to that URL.(clicked the link in the phishing email). 192.168.0.134 192.168.0.254 192.168.0.9 192.168.0.70 192.168.0.188 192.168.0.24 192.168.0.132 5 Logons: cpuziss/ dfritz/ jlee/ asmith/ kwilliams -To me, a successful Logon = an infected workstation -As you can see, account name "cpuziss" successfully logs on 2x with lsass.exe w/the same IP of .70 and don't think this is correct bc can you really infect a workstation twice? Same user, same IP address. Any thoughts?

on my test today, i went with the 7, malicient.exe and 4

Workstations: 6 Executable: isass.exe Clicked: 7

How do you get the: 6 infected 7 clicked Isass.exe as an answer?

someone please explain how 6 infected and 7 clicked?

Okay now I could be wrong but hear me out I believe 7 users clicked the link, and the lsass.exe is the malware executable due to it is a system file not a user file and should be labeled as such not by username but that doesn't mean all the users that clicked the link are infected, rather they all have downloaded the malware executable in question. Although, the user: Jlee in the log looks like he might indeed be infected for this reason he not only has the malware executable, but it looks like it installed as well due to him also having the cmd.exe and the file explorer.exe (explorer.exe). In that case 7 clicked, 1 infected, and lsass.exe?

Passed the exam today and I went with 6 infected, 7 clicked, and Isass.exe.

6 infected 7 clicked isass.exe dont ask me to explain, just know thats the answer.

Is it not 4 , 7 and Isass.exe?

This sim has duplicate log screen shots, so can't determine the real answer (answer may be right?!). Since the phishing email has a download link to a mail client, it makes since that the malware will be mailclient.exe. Also I'm pretty sure the mailclient.exe malware is connecting to chatforfree.ru. To confirm this, we need to correlate the time line of events with all of the server logs. This how I plan on working this sim (method could change as I start the sim): SIEM - look for users that have "mailclient.exe" in the process name to get how many workstations were infected. File Server - look for users connecting to "chatforfree.ru" to determine how many users clicked the phishing email. Email Server - used as a reference confirming users received the email and the time line of events support infection times.