nerdexam
(ISC)2

CISSP · Question #457

Which of the following will help identify the source internet protocol (IP) address of malware being exected on a computer?

The correct answer is A. List of open network connections. Identifying the source IP address of malware requires examining active network connections, which reveal remote addresses communicating with the infected host. Tools like 'netstat' display these open connections including foreign IP addresses.

Submitted by amina.ke· Mar 5, 2026Security Operations

Question

Which of the following will help identify the source internet protocol (IP) address of malware being exected on a computer?

Options

  • AList of open network connections
  • BDisplay Transmission Control Protocol/Internet Protocol (TCP/IP) network configuration
  • CList of running processes
  • DDisplay the Address Resolution Protocol (APP) table.

How the community answered

(32 responses)
  • A
    72% (23)
  • B
    6% (2)
  • C
    16% (5)
  • D
    6% (2)

Why each option

Identifying the source IP address of malware requires examining active network connections, which reveal remote addresses communicating with the infected host. Tools like 'netstat' display these open connections including foreign IP addresses.

AList of open network connectionsCorrect

A list of open network connections (viewed via tools like 'netstat -an') shows all active and listening TCP/UDP connections, including the remote (foreign) IP addresses and ports that a process is communicating with. Since malware typically beacons out to a command-and-control server, the remote IP address in an established connection tied to a suspicious process directly identifies the malware's source or destination IP address.

BDisplay Transmission Control Protocol/Internet Protocol (TCP/IP) network configuration

Displaying TCP/IP network configuration (e.g., 'ipconfig' or 'ifconfig') shows the local machine's own IP address, subnet mask, and gateway settings, not remote addresses of external systems communicating with the host.

CList of running processes

A list of running processes identifies what programs are executing on the system but does not reveal the network addresses those processes are communicating with; you would need to correlate process IDs with network connections for that detail.

DDisplay the Address Resolution Protocol (APP) table.

The ARP table maps local IP addresses to MAC addresses on the same network segment and does not reveal remote internet IP addresses used by malware communicating over the internet.

Concept tested: Using netstat to identify malicious network connections

Source: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netstat

Topics

#malware analysis#network connections#incident response#forensics tools

Community Discussion

No community discussion yet for this question.

Full CISSP Practice