The answer is TCP 192.168.1.10:49153 to 203.0.113.50:443 in TIME_WAIT with PID 1204, as this combination of a high ephemeral source port, an external HTTPS destination, and a short-lived connection state is a classic signature of C2 beaconing. Attackers frequently use HTTPS on port 443 to blend with normal web traffic, while the TIME_WAIT state indicates brief, periodic connections rather than sustained data transfer—exactly the pattern of a beacon checking in with its controller. On the CHFI exam, this question tests your ability to identify C2 beaconing from netstat output, a critical skill for a first responder; a common trap is dismissing TIME_WAIT as benign, but in forensic context, it often signals the end of a short command-and-control exchange. Remember the mnemonic: “High port, HTTPS, TIME_WAIT—think beacon, not data freight.”
CHFI Incident Response and First Responder Skills Practice Question
This CHFI practice question tests your understanding of incident response and first responder skills. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
Exhibit:
C:\> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 192.168.1.10:49152 10.0.0.5:80 ESTABLISHED 3342
TCP 192.168.1.10:49153 203.0.113.50:443 TIME_WAIT 1204
TCP 192.168.1.10:49154 192.168.1.1:53 TIME_WAIT 2016
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1056
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 668
UDP 0.0.0.0:123 *:* 888
UDP 0.0.0.0:1900 *:* 4320
Refer to the exhibit. A first responder runs netstat -ano on a Windows system. Which connection is MOST likely indicative of a potential C2 communication?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "first"
Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
TCP 192.168.1.10:49153 to 203.0.113.50:443 TIME_WAIT PID 1204
Option C is correct because the connection from a high ephemeral port (49153) to an external IP (203.0.113.50) over HTTPS (port 443) with a short-lived TIME_WAIT state is a classic indicator of potential C2 beaconing. C2 communications often use HTTPS to blend with legitimate traffic, and the TIME_WAIT state suggests brief, periodic connections typical of beaconing, rather than sustained data transfer. The external IP is also in a documentation/test range (203.0.113.0/24), which is commonly used for examples but in a real scenario would be suspicious as an unknown external destination.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
TCP 0.0.0.0:3389 LISTENING PID 668
Why it's wrong here
RDP listening is normal for remote administration.
✗
TCP 192.168.1.10:49154 to 192.168.1.1:53 TIME_WAIT PID 2016
TCP 192.168.1.10:49153 to 203.0.113.50:443 TIME_WAIT PID 1204
Why this is correct
The foreign IP is external and the PID is not a standard Windows process; TIME_WAIT may indicate recent C2 communication.
Clue confirmation
The clue words "first", "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
✗
TCP 192.168.1.10:49152 to 10.0.0.5:80 ESTABLISHED PID 3342
Why it's wrong here
This is a typical HTTP connection to an internal server.
Common exam traps
Common exam trap: answer the scenario, not the keyword
EC-Council often tests the misconception that any ESTABLISHED connection is suspicious, but here the trap is that TIME_WAIT to an external HTTPS port is more indicative of C2 beaconing than an ESTABLISHED connection to an internal HTTP server.
Detailed technical explanation
How to think about this question
C2 beacons often use HTTPS (port 443) to evade detection by mimicking normal web traffic, and the TIME_WAIT state (RFC 793) indicates the connection was closed by the client after a short exchange, which is typical for beacon intervals. The netstat -ano command shows the owning PID, which can be cross-referenced with Task Manager to identify the process; in an incident response, a suspicious PID with an unknown executable path would further confirm C2. Real-world C2 frameworks like Cobalt Strike frequently use HTTPS with jittered sleep intervals, resulting in many TIME_WAIT connections to external IPs.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this CHFI question in full detail.
Incident Response and First Responder Skills — This question tests Incident Response and First Responder Skills — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: TCP 192.168.1.10:49153 to 203.0.113.50:443 TIME_WAIT PID 1204 — Option C is correct because the connection from a high ephemeral port (49153) to an external IP (203.0.113.50) over HTTPS (port 443) with a short-lived TIME_WAIT state is a classic indicator of potential C2 beaconing. C2 communications often use HTTPS to blend with legitimate traffic, and the TIME_WAIT state suggests brief, periodic connections typical of beaconing, rather than sustained data transfer. The external IP is also in a documentation/test range (203.0.113.0/24), which is commonly used for examples but in a real scenario would be suspicious as an unknown external destination.
What should I do if I get this CHFI question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "first", "most likely". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Refer to the exhibit. During incident response, a first responder runs 'netstat -ano' on a compromised Windows system. Which connection is most likely to be the command-and-control (C2) channel and should be prioritized for isolation?
easy
✓ A.192.168.1.100:1045 to 203.0.113.5:4444 (ESTABLISHED)
B.192.168.1.100:1047 to 10.0.0.1:22 (ESTABLISHED)
C.192.168.1.100:1046 to 192.168.1.1:443 (ESTABLISHED)
D.192.168.1.100:1048 to 198.51.100.7:80 (TIME_WAIT)
Why A: Option A shows an established connection from the internal host (192.168.1.100) to an external IP (203.0.113.5) on TCP port 4444, which is commonly associated with Metasploit reverse shells and other C2 frameworks. The ESTABLISHED state indicates an active, ongoing session, making it the highest priority for isolation during incident response.
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This CHFI practice question is part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CHFI exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.