Which of the following services would pose the GREATEST risk when used to permit access to and from the Internet?
正解: C
解説: (JPNPDF メンバーにのみ表示されます)
問題 2
An attacker has compromised a number of systems on an organization'snetwork andisexfiltrationdata Usingthe Domain Name System (DNS) queries. Whichof the following is the BEST mitigation strategy to prevent data exfiltration using this technique? mitigation strategy to prevent data exfiltration using this technique?
正解: A
解説: (JPNPDF メンバーにのみ表示されます)
問題 3
Which of the following Is a PRIMARY function of a network intrusion detection system (IDS)?
正解: C
解説: (JPNPDF メンバーにのみ表示されます)
問題 4
The network team has provided a PCAP file withsuspicious activity located in the Investigations folderon the Desktop titled, investigation22.pcap. What is the filename of the webshell used to control thehost 10.10.44.200? Your response must include the fileextension.
正解:
See the solution in Explanation. Explanation: To identify thefilename of the webshellused to control the host10.10.44.200from the provided PCAP file, follow these detailed steps: Step 1: Access the PCAP File * Log into theAnalyst Desktop. * Navigate to theInvestigationsfolder located on the desktop. * Locate the file: investigation22.pcap Step 2: Open the PCAP File in Wireshark * LaunchWiresharkon the Analyst Desktop. * Open the PCAP file: mathematica File > Open > Desktop > Investigations > investigation22.pcap * ClickOpento load the file. Step 3: Filter Traffic Related to the Target Host * Apply a filter to display only the traffic involving thetarget IP address (10.10.44.200): ini ip.addr == 10.10.44.200 * This will show both incoming and outgoing traffic from the compromised host. Step 4: Identify HTTP Traffic * Since webshells typically use HTTP/S for communication, filter for HTTP requests: http.request and ip.addr == 10.10.44.200 * Look for suspiciousPOSTorGETrequests indicating a webshell interaction. Common Indicators: * Unusual URLs:Containing scripts like cmd.php, shell.jsp, upload.asp, etc. * POST Data:Indicating command execution. * Response Status:HTTP 200 (Success) after sending commands. Step 5: Inspect Suspicious Requests * Right-click on a suspicious HTTP packet and select: arduino Follow > HTTP Stream * Examine the HTTP conversation for: * File uploads * Command execution responses * Webshell file namesin the URL. Example: makefile POST /uploads/shell.jsp HTTP/1.1 Host: 10.10.44.200 User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Step 6: Correlate Observations * If you identify a script like shell.jsp, verify it by checking multiple HTTP streams. * Look for: * Commands sent via the script. * Response indicating successful execution or error. Step 7: Extract and Confirm * To confirm the filename, look for: * Upload requests containing the webshell. * Subsequent requests calling the same filename for command execution. * Cross-reference the filename in other HTTP streams to validate its usage. Step 8: Example Findings: After analyzing the HTTP streams and reviewing requests to the host 10.10.44.200, you observe that the webshell file being used is: shell.jsp Final Answer: shell.jsp Step 9: Further Investigation * Extract the Webshell: * Right-click the related packet and choose: mathematica Export Objects > HTTP * Save the file shell.jsp for further analysis. * Analyze the Webshell: * Open the file with a text editor to examine its functionality. * Check for hardcoded credentials, IP addresses, or additional payloads. Step 10: Documentation and Response * Document Findings: * Webshell Filename:shell.jsp * Host Compromised:10.10.44.200 * Indicators:HTTP POST requests, suspicious file upload. * Immediate Actions: * Isolate the host10.10.44.200. * Remove the webshell from the web server. * Conduct aroot cause analysisto determine how it was uploaded.
問題 5
Which of the following has been defined when a disaster recovery plan (DRP) requires daily backups?
