200-201 • Practice Test 29
Free 200-201 practice test — 15 questions with explanations. Set 29. No signup required.
You are analyzing network traffic from a compromised host. The host is running Windows and is connected to a corporate network. The IDS generated an alert for a known malware signature matching traffic from the host to an external IP on port 443. However, you see that the traffic is encrypted and the destination IP is a cloud storage provider. The host also shows periodic DNS queries to a domain that closely resembles the cloud provider's domain but with a single character difference (typosquatting). The employee on that host reports no unusual activity. Which step should you take first to confirm the compromise?