nerdexam
EC-Council

312-39 · Question #3

312-39 Question #3: Real Exam Question with Answer & Explanation

The correct answer is A. Analyze the network logs to identify external connections. The strongest “must-be-true” confirmation for an active attack in this scenario is evidence of command-and-control (C2) or other suspicious external communication. You already have a scheduled task launching PowerShell and attempting to connect to an unknown IP address, which is

Question

A leading e-commerce company relies on backend servers for processing customer transactions. You are working with their cybersecurity team as a SOC analyst. One morning, you notice a sharp increase in CPU utilization on one of your backend servers. Your team scans and monitors the server and finds that an unknown process is running, consuming excessive resources. You further perform detailed forensic analysis and identify the presence of an unrecognized scheduled task that triggers a PowerShell script connecting to an unknown IP address. What should you do to confirm whether this is an active attack?

Options

  • AAnalyze the network logs to identify external connections
  • BCheck file integrity and detect recent unauthorized changes
  • CAnalyze the system logs for unauthorized changes
  • DReview user access logs for unauthorized activity

Explanation

The strongest “must-be-true” confirmation for an active attack in this scenario is evidence of command-and-control (C2) or other suspicious external communication. You already have a scheduled task launching PowerShell and attempting to connect to an unknown IP address, which is a high-signal indicator of malicious automation. The fastest way to validate ongoing activity is to analyze network telemetry (firewall/proxy logs, netflow, EDR network events) to confirm whether outbound connections are occurring, how frequently, and whether data is being transferred. Network logs can reveal destination IP/port, protocols, connection success/failure, volume, and timing correlation with the scheduled task triggers. File integrity checks and system logs are useful for understanding persistence and modifications, but they may lag behind or miss short-lived network beacons. User access logs help attribute activity but do not directly confirm an active external control channel. From a SOC triage and containment perspective, confirming external connections enables immediate actions such as blocking the destination, isolating the host, and scoping for other systems contacting the same IPs/domains. Therefore, network log analysis is the most direct next step to confirm active malicious behavior.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-39 Practice