BlackFriday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

CompTIA Exam CAS-004 Topic 5 Question 30 Discussion

Actual exam question for CompTIA's CAS-004 exam
Question #: 30
Topic #: 5
[All CAS-004 Questions]

A security operations center analyst is investigating anomalous activity between a database server and an unknown external IP address and gathered the following data:

* dbadmin last logged in at 7:30 a.m. and logged out at 8:05 a.m.

* A persistent TCP/6667 connection to the external address was established at 7:55 a.m. The connection is still active.

* Other than bytes transferred to keep the connection alive, only a few kilobytes of data transfer every hour since the start of the connection.

* A sample outbound request payload from PCAP showed the ASCII content: "JOIN #community".

Which of the following is the MOST likely root cause?

Show Suggested Answer Hide Answer
Suggested Answer: D

The dbadmin user is consulting the community for help via Internet Relay Chat. The clues in the given information point to the dbadmin user having established an Internet Relay Chat (IRC) connection to an external address at 7:55 a.m. This connection is still active, and only a few kilobytes of data have been transferred since the start of the connection. The sample outbound request payload of 'JOIN #community' also suggests that the user is trying to join an IRC chatroom. This suggests that the dbadmin user is using the IRC connection to consult the community for help with a problem. Therefore, the root cause of the anomalous activity is likely the dbadmin user consulting the community for help via IRC. Reference: CompTIA Advanced Security Practitioner (CASP+) Study Guide, Chapter 10, Investigating Intrusions and Suspicious Activity.


Contribute your Thoughts:

Currently there are no comments in this discussion, be the first to comment!


Save Cancel