ExamTopics Logo
Mail Us[email protected]
Menu
Eccouncil Discussions
exam questions

Exam 312-50v11 All Questions

View all questions & answers for the 312-50v11 exam
Go to Exam

Exam 312-50v11 topic 1 question 287 discussion

Actual exam question from ECCouncil's 312-50v11
Question #: 287
Topic #: 1
[All 312-50v11 Questions]

You are a security officer of a company. You had an alert from IDS that indicates that one PC on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before the alert. You are starting an investigation to roughly analyze the severity of the situation. Which of the following is appropriate to analyze?

  • A. IDS log
  • B. Event logs on domain controller
  • C. Internet Firewall/Proxy log.
  • D. Event logs on the PC
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by mainhattan at July 1, 2021, 8:48 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mainhattan
Highly Voted 3 years, 7 months ago
I think D is correct. Need check PC to find reason
upvoted 11 times
...
spampat
Highly Voted 3 years ago
The key factor here is that the alert happened after the block. The first logical thing to do is to verify that the traffic is actually being blocked, and what specifically triggered the alert at the IDS/IPS/firewall.
upvoted 8 times
...
truongtx8
Most Recent 1 year, 1 month ago
Once the PC is infected, the log may be tampered. So Event logs on the PC has (almost) no value.
upvoted 1 times
...
josevirtual
2 years ago
Selected Answer: C
Despite D might make sense too, I think that the next step for analyzing how it impacted the company should analyze the history of connections to that IP, and checking whether other endpoints have connected to those IPs.
upvoted 3 times
...
Khalid_Loudi
3 years, 2 months ago
Internet Firewall/Proxy log this Question was on CEHV10 Dump
upvoted 4 times
...
martco
3 years, 2 months ago
I'd have to agree with the stated answer, my reading of the situation is... this is a smart IDS, it was updated with the blacklisted IP and caught the C2 channel straightaway but what that means for us is that we've lost control of our network officially. so now what? first thing I'd do is get to the firewall/proxy to correlate if and what malicious convos this compromised machine has been having recently (next steps of the hack, exfiltration of something, whatever) apart from all the other things this is the first move imho
upvoted 1 times
...
serenityy
3 years, 3 months ago
Correct
upvoted 3 times
...
Scryptic
3 years, 4 months ago
This won't help get this question correct on the exam, but as a previous Forensic Analyst, once I have reason to believe a PC is popped, the first thing I do is grab the IDS logs for the PC's IP address, all the registry and evt(x) files, and other files of forensic interest, and create a super timeline in date/time sequence of all events combined into a single file. Based on this reasoning, you can argue for for "F.) All of the above."
upvoted 2 times
Scryptic
3 years, 4 months ago
On further review of the exact scenario, it mentions that the IP was blacklisted right before the event was discovered. Likely, the IP was blacklisted in the Firewall or Proxy, therefore, that would likely be the best answer of the four.
upvoted 4 times
...
...
Haythem026
3 years, 5 months ago
I think is D In my opinion first of all we start by checking the pc after extending our investigation to other nodes for more visibility
upvoted 3 times
...
ANDRESCB1988
3 years, 6 months ago
correct option C
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel