CAS-005 Question #391: Real Exam Question with Answer & Explanation

Question

SIMULATION You are about to enter the virtual environment. DO NOT perform the following actions within the virtual environment. Making any of these changes will cause the virtual environment to fail and prevent proper scoring. 1. Disable ssh 2. Disable systemd 3. Alter the network adapter 172.162.0.0 4. Change the password on the lab admin account 5. Reboot the machine Once you have completed the item in the virtual environment, you will NOT be allowed to return to this item. TEST QUESTION This system was recently patched following the exploitation of a vulnerability by an attacker to enable data exfiltration. Despite the vulnerability being patched, it is likely that a malicious TCP service is still running and the adversary has achieved persistence by creating a systemd service. Examples of commands to use: kill, killall lsof man, --help (use for assistance) netstat (useful flags: a, n, g, u) ps (useful flag: a) systemctl (to control systemd) Please note: the list of commands shown above is not exhaustive. All native commands are available. INSTRUCTIONS Using the following credentials: - Username: labadmin - Password: Passw0rd! Investigate to identify indicators of compromise and then remediate them. You will need to make at least two changes: 1. End the compromised process that is using a malicious TCP service. 2. Remove the malicious persistence agent by disabling the service's ability to start on boot. Answer: STEP 1: Identify and Kill the Malicious TCP Process 1. List listening TCP services with associated processes: sudo netstat -tulnp Look for suspicious services (e.g., uncommon ports like 4444, 1337, etc.) 2. Verify the process details: ps aux | grep <PID> 3. Terminate the suspicious process: sudo kill <PID> Or use sudo killall <process-name> if needed. STEP 2: Disable the Malicious systemd Service (Persistence) 1. List all systemd services: systemctl list-units --type=service 2. Look for any unusual or suspicious service (often not part of a typical system, e.g., revshell.service, malicious.service, backdoor.service, etc.) 3. Check the service path and content (optional but helpful): systemctl status <suspicious-service> cat /etc/systemd/system/<suspicious-service>.service 4. Disable the malicious service: sudo systemctl disable <suspicious-service> 5. Stop the service (if still running): sudo systemctl stop <suspicious-service> Once these steps are done, you will have: - Ended the malicious process. - Disabled its persistence via systemd. Avoid: Disabling SSH or systemd, changing passwords, rebooting, or touching the 172.162.0.0 network adapter.

Options

• taskInvestigate to identify indicators of compromise and then remediate them. You will need to make at least two changes: 1. End the compromised process that is using a malicious TCP service. 2. Remove the malicious persistence agent by disabling the service's ability to start on boot.
• prerequisitesCredentials: Username: labadmin, Password: Passw0rd!