CS0-003 Question #546: Real Exam Question with Answer & Explanation

Question

A security analyst runs tcpdump on the 10.203.10.22 machine and observes thousands of packets as shown below: Which of the following activities explains the tcpdump output?

Options

• AIncoming nmap -sA scan
• Bhping3 --udp scan over the network
• CC2 communications leaving the network
• DMalware beaconing

Explanation

Malware beaconing explains the tcpdump output as it typically involves a compromised host periodically sending small packets to a command and control (C2) server, often mimicking legitimate traffic patterns to evade detection.

Common mistakes.

• A. An incoming nmap -sA (ACK scan) would show many incoming packets to the 10.203.10.22 machine, typically for port scanning, not thousands of sustained outbound packets.
• B. An hping3 --udp scan would typically show a flood of UDP packets, likely to various ports or destinations, characteristic of a scanning tool, which is distinct from persistent C2 communication.
• C. While C2 communications involve traffic leaving the network, malware beaconing is a more specific and common form of C2 communication characterized by periodic, low-volume activity, making it a more precise fit for the described output.

Concept tested. Network Traffic Analysis (Malware Beaconing)

Reference. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-and-investigate-advanced-attacks#common-malicious-network-activity

No community discussion yet for this question.