A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?
Trap 1: Examine the Windows Firewall log to see the source and destination…
Firewall logs show network traffic but do not identify the process that initiated it.
Trap 2: Review Windows Security Event Log for Event ID 4688 (Process…
Event ID 4688 shows process creation events but does not directly link them to network connections.
Trap 3: Use PowerShell cmdlet 'Get-NetTCPConnection' to list current TCP…
Get-NetTCPConnection provides connection details but lacks the owning process information without additional options.
- A
Run 'netstat -b' on the Windows host to display active connections with the associated process executable.
The -b flag shows the binary involved in creating each connection, directly correlating the connection to the process.
- B
Examine the Windows Firewall log to see the source and destination IP addresses and ports for outbound traffic.
Why wrong: Firewall logs show network traffic but do not identify the process that initiated it.
- C
Review Windows Security Event Log for Event ID 4688 (Process Creation) for the timeline of process starts.
Why wrong: Event ID 4688 shows process creation events but does not directly link them to network connections.
- D
Use PowerShell cmdlet 'Get-NetTCPConnection' to list current TCP connections and their states.
Why wrong: Get-NetTCPConnection provides connection details but lacks the owning process information without additional options.