CS0-002 topic 1 question 14

The correct answer to the question is Server 4 & the process infected is Svchost.exe.

Explanation:-

The IPs are within the RFC1918 class B range of 172.16.0.0 – 172.31.255.255
Both Servers 1 & 4 (internal) have the same communication with the same IPs for the same RDP(Remote Desktop Protocol [responsible for remote connecting to servers or computers with the same Windows OS])
which shows the system administrator remotely manages them
A connection between Server 1 & 4 is established with notepad.exe on server1 is connecting to port 443 on server 4
As per the question from a logical perspective, the server can be the web server where svchost.exe is listening to a different port rather than 443 & server 1(on DMZ) is trying to access the internal network on Server4 [which is malicious]

Got this one today!! Used Server 1 and notepad.exe. I didnt fail any pbqs...thanks for the deliberations fellas

how can you tell you didnt fail any pbqs?!

no, it just says how well you did on different topics / exam objectives, not specific questions

I don't think it's notepad.exe    https://www.file.net/process/notepad.exe.html

Server4 192.168.50.6
Server1 10.1.1.1

10.1.1.2:57433 >> 192.168.50.6:433 PID 1276 (notpad.exe)
192.168.50.6:433 << 10.1.1.2:57433 PID 348  (svchost.exe)

Answer is Server4 (svchost.exe)

Passed it the other day, this one was in it.
I selected Server 4, svchost.exe.
Read the question carefully, it asks specifically which server & process HOSTS the malware. Realistically you'd select both, but you can only choose one. Then why serv 4 svchost and not serv 1 notepad its counter part? Simple. It asks who hosts the malware, it has to be server 4 because even if notepad was malware of some kind on server 1 it shouldn't ever be able to talk to a server in the internal network without some compromise on that end. It has to cross the DMZ barrier. Being port 443 this looks like a reverse shell, where they've chosen port 443 to obfuscate it

notepad appearing as a service in task manager is not considered malware, it is a legitimate system process running in background as a service for other applications or processes. This is usually found in situations where Notepad is being used as part of a larger system or software component, and is not meant to be interacted with directly by the user.

People, the question is why would notepad process be communicating out to another host…OVER BL**DY  443….BRAAAAAAA THATS SUSPICIOUS ENOUGH FOR ME MATE

I am still mulling over this one, but here is more discussions in case anyone wanted to read more. https://www.islever.com/discussions/comptia/view/20574-exam-cs0-001-topic-1-question-141-discussion/

that's normal

I dug into this further, mostly because it was nagging at me. Notepad is legit, its being pulled over the network from 1 server to the other. I simulated it at my job to see and it looked similar enough for me to discredit it