12/6/24, 1:57 AM labclient.labondemand.

com/Instructions/ExamResult/b9faa3e8-58ec-4808-a6a1-aa5b0f6b401c

04: Assisted Lab: Performing Threat Hunting

CySA+ (Exam CS0-003)

22/22
Congratulations, you passed!
Duration: 42 minutes, 9 seconds

 confirm if "-A INPUT -j LOG" is present in /home/lamp/filter-list.txt Score: 1

Select the Score button to validate this task:
The iptables filter of -A INPUT -j LOG is present
Task complete

 confirm the value of @lab.Variable(Kali_IPv4) is 172.16.0.100 Score: 1

Select the Score button to validate this task:
Value matched ...

 What is the network activity that is captured in the kern.log file related to the Score: 1
SRC=172.16.0.100?
port scanning
brute force password guessing
buffer overflow
denial of service

Congratulations, you have answered the question correctly.

 What systems have a current secure web session with DC10? Score: 1

10.1.16.1
10.1.16.2
172.16.0.100
10.1.24.101
10.1.16.242

Congratulations, you have answered the question correctly.

 What is the name of the process associated with the PID related to the secure web Score: 1
connections? Type in the exact process name in the field below. (Note: it is listed under Image
Name.)

system

Congratulations, you have answered the question correctly.

https://labclient.labondemand.com/Instructions/ExamResult/b9faa3e8-58ec-4808-a6a1-aa5b0f6b401c 1/5
12/6/24, 1:57 AM labclient.labondemand.com/Instructions/ExamResult/b9faa3e8-58ec-4808-a6a1-aa5b0f6b401c

 What is the exact name of the process associated with the secure web connection? Score: 1
Type in the exact process name in the field below. (Note: it is listed under Image Name.)

powershell.exe

Congratulations, you have answered the question correctly.

 confirm if the C:\Windows\system32\outfile.txt file exists and contains the Score: 1

"CommandLine"
Select the Score button to validate this task:
File C:\Windows\system32\outfile.txt exists and contains the 'CommandLine'
line item

Task complete

 What is the exact name of the process associated with the secure web connection? Score: 1
Type in the exact process name in the field below. (Note: it is listed beside the PID.)

nc

Congratulations, you have answered the question correctly.

 Having identified the system from where the suspicious secure web connections are Score: 1
originating, you need to compare your findings to the elements of the IoC: observable. Mark
the options below that are true for the discovered offending process(es). (Select all that apply)

The offending process will not present as a standard web client.

The attack can originate from any system with the ability to access the targeted website.
The exploit is stealing credentials.
Secure websites are being targeted in a resource exhaustion attack.
The vulnerability is introduced when installing a web client.

Congratulations, you have answered the question correctly.

 What is the most concerning issue you discovered in this packet capture?

An internal DNS server resolves queries.

SSH services are available.
An anonymous connection was made to an FTP server.
A website is operating over a non-default port.
Congratulations, you have answered the question correctly.

 Which system is likely the victim of the malware infection? Score: 1

10.1.16.1
10.1.16.2
172.16.0.100
172.16.0.201
Congratulations, you have answered the question correctly.

https://labclient.labondemand.com/Instructions/ExamResult/b9faa3e8-58ec-4808-a6a1-aa5b0f6b401c 2/5
12/6/24, 1:57 AM labclient.labondemand.com/Instructions/ExamResult/b9faa3e8-58ec-4808-a6a1-aa5b0f6b401c

 Which IP address warrants further investigation in relation to the data exfiltration Score: 1
incident?
10.1.24.101
10.1.16.2
10.1.16.1
10.1.16.11
10.1.24.13

Congratulations, you have answered the question correctly.

 Why did you select the IP address as needing further investigation? Score: 1

The connection to and from the same port number

The attempt to connect to FTP
The large amount of traffic over a DNS port
Performing DNS queries
Website connections
The SMTPS connection

Congratulations, you have answered the question correctly.

 The command and control process is executing under what user account context? Score: 1

root
jaime
n/a
renee
system
Congratulations, you have answered the question correctly.

 What process is most likely the means by which the botnet agents are connecting into Score: 1
this client?

cmd.exe
explorer.exe
nc.exe
winlogon
notepad.exe

Congratulations, you have answered the question correctly.

 confirm if @lab.Variable(DNSThreat) is 'badsite.ru' Score: 1

Select the Score button to validate this task:
Value matched ...

 What is the time interval between type 1 queries to badsite.ru? Score: 1

1 second
5 seconds
20 seconds
1 minute
https://labclient.labondemand.com/Instructions/ExamResult/b9faa3e8-58ec-4808-a6a1-aa5b0f6b401c 3/5
12/6/24, 1:57 AM labclient.labondemand.com/Instructions/ExamResult/b9faa3e8-58ec-4808-a6a1-aa5b0f6b401c

Congratulations, you have answered the question correctly.

 What is the repeated attempt to resolve a FQDN on a regular interval by unknown Score: 1
software called?

port scanning
DNS spoofing
shell injection
beaconing

Congratulations, you have answered the question correctly.

 In the kern.log file produced by iptables, what is the DPT value? Score: 1

Destination IP address
Source IP address
Destination port number
Source port number

Congratulations, you have answered the question correctly.

 Which statement best describes the IoC for a port scanning event? Score: 1

A large number of packets received by a system which causes a consumption of all

resources
Multiple ports receiving packets from a single source IP address
Invalid ARP announcements associating a single MAC address to numerous IP addresses
An outbound connection to a remote server granting an adversary remote control of the
system

Congratulations, you have answered the question correctly.

 What netstat parameter prevents FQDNs and protocol acronyms from being displayed Score: 1
in the output?

-a
-n
-o
-p
Congratulations, you have answered the question correctly.

 What is an IoC observable? Score: 1

An identified fact of occurrence

A hypothesis about a threat
An entry in a firewall filter
A record in an event log

Congratulations, you have answered the question correctly.

 Why is beaconing an important IoC to look for? Score: 1

https://labclient.labondemand.com/Instructions/ExamResult/b9faa3e8-58ec-4808-a6a1-aa5b0f6b401c 4/5
12/6/24, 1:57 AM labclient.labondemand.com/Instructions/ExamResult/b9faa3e8-58ec-4808-a6a1-aa5b0f6b401c

It indicates active malware attempting to contact a C&C.

It is evidence of buffer overflow exploits.
It is triggered by any malicious activity.
It may use polymorphism to hide its identity.

Congratulations, you have answered the question correctly.

https://labclient.labondemand.com/Instructions/ExamResult/b9faa3e8-58ec-4808-a6a1-aa5b0f6b401c 5/5