Exam CS0-002 topic 1 question 223 discussion

I believe C should be - strings ~/Desktop/file.pdf | grep "<script" I cannot believe the incompetence of these guys maintaining these dumps, blatant wrong answers are common, but literally copy-pasting questions and still failing to uphold its quality? is outright ridiculous, cannot believe I paid for this dump.

C - - strings ~/Desktop/file.pdf | grep "<script" Explanation: The strings command is used to extract the human-readable strings from a binary file, such as a PDF document. By piping the output of the strings command to the grep command with the -i flag, the security analyst can search for specific keywords or phrases that are commonly used in malicious PDF documents, such as "malware" or "Trojan." This will allow the analyst to quickly identify potential indicators of malicious activity in the PDF document.

Got this question on exam. Was going to choose cat but went with Strings at last minute. Tough questions

The "file" command is commonly used to determine the type of file based on its content and characteristics. When you run the "file" command on a file, it examines the file's magic number and other indicators to identify the file type. This can be helpful in identifying potentially malicious files. In the case of a PDF file, it should report that it's a PDF document.

The command file ~/Desktop/file.pdf is used to determine the type of a file by examining its contents and metadata. It can help identify the format of the file, whether it's a PDF, an image, a text file, etc. In this context, using this command on the potentially malicious PDF attachment would provide information about the format of the file. If the file is actually a PDF as expected, it would provide more confidence that it's not just a disguised executable or malicious content. It's a preliminary step to understand the nature of the file before further analysis is performed.

"The most likely command to indicate if the email is malicious when reviewing a potentially malicious attachment on a Linux sandbox is B. The command file ~/Desktop/file.pdf is used to determine the type of file, which can help to determine if the file is malicious or not. The output of the command will display information about the file type, such as the file format, encoding, and other details." -This is common in the field, whereas to trick the end-user, TAs usually change the file format. Meanwhile, simply grep <script would not be the best answer because what if the contents of the pdf contains plaintext word "<script because it is a guide in how to do scripting? and this has been false positively captured?

This question was put on the exam.

C. While A would work in the sense the hash of file.pdf was malicious and you could compare it to another Hash (say on VirusTotal), you still may not be able to find the matching malicious Hash. Check here for more discussions. https://www.examtopics.com/discussions/comptia/view/41563-exam-cs0-002-topic-1-question-67-discussion/

The answer C is incomplete, as bob says, there is a <script missing there. This should allow you to detect whether there are some scripts embedded in the pdf file.

I tried all 4 answers on a Kali box, by creating a malicious PDF file (with a reverse shell code) using Metasploit. B - Returned the file type as PDF (that makes my comment above incorrect) C - No output D - No output Only remaining option is to get the Hash value and query from a service like VirusTotal. Answer: A

None of the given answers make a lot of sense.