EC-Council
312-50V10 · Question #73
312-50V10 Question #73: Real Exam Question with Answer & Explanation
The correct answer is B: Internet Firewall/Proxy log. When investigating a PC communicating with a known C2 server on the internet, the firewall/proxy log provides the most comprehensive view of all outbound traffic to that IP across the entire network.
Question
You are a security officer of a company. You had an alert from IDS that indicates that one PC on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before the alert. You are staring an investigation to roughly analyze the severity of the situation. Which of the following is appropriate to analyze?
Options
- AEvent logs on the PC
- BInternet Firewall/Proxy log
- CIDS log
- DEvent logs on domain controller
Explanation
When investigating a PC communicating with a known C2 server on the internet, the firewall/proxy log provides the most comprehensive view of all outbound traffic to that IP across the entire network.
Common mistakes.
- A. Event logs on the individual PC capture local OS and application events but do not provide a comprehensive network-level view of all traffic between the internal network and the external C2 server.
- C. The IDS log already produced the initial alert and will show detected signatures, but it does not provide full traffic details or reveal whether other hosts are also connecting to the C2 server.
- D. Event logs on the domain controller focus on authentication, account management, and AD-related events and do not contain records of network connections to external IP addresses.
Concept tested. Incident response - C2 traffic analysis using firewall logs
Reference. https://www.nist.gov/publications/guide-computer-security-incident-handling
Community Discussion
No community discussion yet for this question.