200-201 Host-Based Analysis • Complete Question Bank
Complete 200-201 Host-Based Analysis question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. C:\Users\Admin> tasklist /svc Image Name PID Services ========================= ======== ============================================ svchost.exe 1236 BrokerInfrastructure, DcomLaunch, PlugPlay svchost.exe 1420 RpcSs, LanmanWorkstation, Dhcp, NlaSvc svchost.exe 1508 WpnService, WpnUserService notepad.exe 2344 N/A cmd.exe 2568 N/A powershell.exe 2792 N/A C:\Users\Admin> netstat -anob | findstr 192.168.1.50 TCP 192.168.1.100:49152 192.168.1.50:443 ESTABLISHED 2792 TCP 192.168.1.100:49153 192.168.1.50:80 ESTABLISHED 1420
Refer to the exhibit. Mar 1 10:15:22 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49152) -> 10.0.0.1(23), 1 packet Mar 1 10:15:23 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49153) -> 10.0.0.1(23), 1 packet Mar 1 10:15:24 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49154) -> 10.0.0.1(23), 1 packet
Refer to the exhibit. tasklist /svc /fi "PID eq 1234" Image Name PID Services ========================= ======== ============================================ svchost.exe 1234 CryptSvc, Dnscache, LanmanWorkstation, W32Time
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Logs success/failure audit events
Logs operating system events
Logs events from applications
Logs installation events
Logs events forwarded from other computers
Drag a concept onto its matching description — or click a concept then click the description.
System is unusable
Immediate action required
Critical conditions
Error conditions
Warning conditions
Refer to the exhibit. ``` C:\Users\admin>tasklist /SVC Image Name PID Services ========================= ======== ============================================ svchost.exe 1240 DcomLaunch, LSM svchost.exe 1500 BrokerInfrastructure, gpsvc, ProfSvc svchost.exe 1780 Schedule svchost.exe 1972 Themes svchost.exe 2100 WlanSvc notmalware.exe 2300 No services are associated with this image. ```
Refer to the exhibit. ``` Aug 10 14:32:17 host1 sshd[2345]: Failed password for root from 192.168.1.100 port 34567 ssh2 Aug 10 14:32:20 host1 sshd[2345]: Failed password for root from 192.168.1.100 port 34568 ssh2 Aug 10 14:32:23 host1 sshd[2345]: Failed password for root from 192.168.1.100 port 34569 ssh2 Aug 10 14:32:26 host1 sshd[2346]: Accepted password for admin from 192.168.1.100 port 34570 ssh2 ```
Refer to the exhibit.
```
{
"File": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\update.exe",
"Process": "C:\\Windows\\System32\\msiexec.exe",
"RegistryKey": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
"RegistryValue": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\update.exe"
}
```Refer to the exhibit. From a Windows host, the analyst runs: C:\> netstat -ano | findstr 4444 Output: TCP 192.168.1.100:49201 203.0.113.5:4444 ESTABLISHED 1234 UDP 0.0.0.0:4444 *:* 5678 The analyst also runs: C:\> tasklist | findstr 1234 cmd.exe 1234 Console 1 2,048 K C:\> tasklist | findstr 5678 svchost.exe 5678 Services 0 1,024 K
Refer to the exhibit. Event 4688 (Process Creation): New Process ID: 0x1234 New Process Name: C:\Users\Public\svchost.exe Creator Process ID: 0x9ABC Creator Process Name: C:\Windows\System32\wmiprvse.exe Process Command Line: svchost.exe -k ntsvcs Event 4688 (Process Creation): New Process ID: 0x5678 New Process Name: C:\Windows\System32\svchost.exe Creator Process ID: 0x1234 Creator Process Name: C:\Users\Public\svchost.exe Process Command Line: C:\Windows\System32\calc.exe