nerdexam
GIAC

GCIH · Question #794

A Windows workstation was clean a few days ago but now appears to be infected. Based on results from tasklist, which was run last week, which connection or connections shown in netstat - naob, run tod

The correct answer is C. The connections with lsass.exe. Identifying malicious network activity by cross-referencing known-clean process baselines from tasklist with active connections shown in netstat.

Malware Analysis & Advanced Persistent Threats

Question

A Windows workstation was clean a few days ago but now appears to be infected. Based on results from tasklist, which was run last week, which connection or connections shown in netstat - naob, run today, most likely indicates the host is now infected?

Exhibit

GCIH question #794 exhibit

Options

  • AThe connection with winevtd.exe
  • BThe connection with wmpnetwk.exe
  • CThe connections with lsass.exe
  • DThe connections with svchost.exe

How the community answered

(24 responses)
  • A
    8% (2)
  • B
    21% (5)
  • C
    67% (16)
  • D
    4% (1)

Why each option

Identifying malicious network activity by cross-referencing known-clean process baselines from tasklist with active connections shown in netstat.

AThe connection with winevtd.exe

winevtd.exe is not a recognized standard Windows system process, but if it appeared in last week's clean tasklist baseline it was already present before the suspected infection occurred.

BThe connection with wmpnetwk.exe

wmpnetwk.exe is the legitimate Windows Media Player Network Sharing Service and routinely makes network connections for media streaming, so its presence in netstat is not a reliable infection indicator.

CThe connections with lsass.exeCorrect

lsass.exe (Local Security Authority Subsystem Service) is a core Windows authentication process that does not normally initiate or maintain external network connections. Seeing lsass.exe listed in netstat output strongly indicates either a malicious process impersonating lsass.exe or adversarial code injected into the legitimate process - both are well-documented malware techniques that exploit this trusted process name to evade detection.

DThe connections with svchost.exe

svchost.exe hosts dozens of Windows services and continuously makes numerous legitimate network connections as part of normal OS operation, making its netstat appearance expected rather than suspicious.

Concept tested: Malware detection via process and network baseline comparison

Source: https://attack.mitre.org/techniques/T1055/

Topics

#malware detection#process analysis#lsass injection#tasklist forensics

Community Discussion

No community discussion yet for this question.

Full GCIH Practice