nerdexam
EC-Council

312-50V11 · Question #141

You are working as a Security Analyst in a company XYZ that owns the whole subnet range of 23.0.0.0/8 and 192.168.0.0/8. While monitoring the data, you find a high number of outbound connections. You

The correct answer is A. Botnet Attack. Multiple internal compromised hosts communicating with a single blacklisted public IP describes a botnet, where infected machines are coordinated by a command-and-control server.

Malware Threats

Question

You are working as a Security Analyst in a company XYZ that owns the whole subnet range of 23.0.0.0/8 and 192.168.0.0/8. While monitoring the data, you find a high number of outbound connections. You see that IP's owned by XYZ (Internal) and private IP's are communicating to a Single Public IP. Therefore, the Internal IP's are sending data to the Public IP. After further analysis, you find out that this Public IP is a blacklisted IP, and the internal communicating devices are compromised. What kind of attack does the above scenario depict?

Exhibit

312-50V11 question #141 exhibit

Options

  • ABotnet Attack
  • BSpear Phishing Attack
  • CAdvanced Persistent Threats
  • DRootkit Attack

How the community answered

(42 responses)
  • A
    79% (33)
  • B
    14% (6)
  • C
    2% (1)
  • D
    5% (2)

Why each option

Multiple internal compromised hosts communicating with a single blacklisted public IP describes a botnet, where infected machines are coordinated by a command-and-control server.

ABotnet AttackCorrect

A botnet consists of multiple compromised devices (bots) that communicate with a centralized command-and-control (C2) server. The scenario describes exactly this: numerous internal IPs sending data to one blacklisted public IP, which is the hallmark C2 communication pattern used to exfiltrate data or receive instructions from an attacker.

BSpear Phishing Attack

Spear phishing is a targeted social-engineering email attack used to gain initial access, not a pattern of multiple hosts communicating outbound to a single C2 IP.

CAdvanced Persistent Threats

Advanced Persistent Threats describe a prolonged, stealthy intrusion campaign by sophisticated actors; while botnets can be used in APTs, the scenario specifically identifies a C2 communication pattern that is definitional to botnets.

DRootkit Attack

A rootkit is a type of malware designed to hide its presence on a compromised host; it is not defined by multiple machines communicating to a single external IP.

Concept tested: Botnet command-and-control traffic identification

Source: https://www.cisa.gov/news-events/news/understanding-botnets

Topics

#botnet#C&C server#network monitoring#compromised hosts

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice