CISSP · Question #457
Which of the following will help identify the source internet protocol (IP) address of malware being exected on a computer?
The correct answer is A. List of open network connections. Identifying the source IP address of malware requires examining active network connections, which reveal remote addresses communicating with the infected host. Tools like 'netstat' display these open connections including foreign IP addresses.
Question
Which of the following will help identify the source internet protocol (IP) address of malware being exected on a computer?
Options
- AList of open network connections
- BDisplay Transmission Control Protocol/Internet Protocol (TCP/IP) network configuration
- CList of running processes
- DDisplay the Address Resolution Protocol (APP) table.
How the community answered
(32 responses)- A72% (23)
- B6% (2)
- C16% (5)
- D6% (2)
Why each option
Identifying the source IP address of malware requires examining active network connections, which reveal remote addresses communicating with the infected host. Tools like 'netstat' display these open connections including foreign IP addresses.
A list of open network connections (viewed via tools like 'netstat -an') shows all active and listening TCP/UDP connections, including the remote (foreign) IP addresses and ports that a process is communicating with. Since malware typically beacons out to a command-and-control server, the remote IP address in an established connection tied to a suspicious process directly identifies the malware's source or destination IP address.
Displaying TCP/IP network configuration (e.g., 'ipconfig' or 'ifconfig') shows the local machine's own IP address, subnet mask, and gateway settings, not remote addresses of external systems communicating with the host.
A list of running processes identifies what programs are executing on the system but does not reveal the network addresses those processes are communicating with; you would need to correlate process IDs with network connections for that detail.
The ARP table maps local IP addresses to MAC addresses on the same network segment and does not reveal remote internet IP addresses used by malware communicating over the internet.
Concept tested: Using netstat to identify malicious network connections
Source: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netstat
Topics
Community Discussion
No community discussion yet for this question.