Question 750 of 1,000
Incident Response and First Responder SkillshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is TCP 192.168.1.10:49153 to 203.0.113.50:443 in TIME_WAIT with PID 1204, as this combination of a high ephemeral source port, an external HTTPS destination, and a short-lived connection state is a classic signature of C2 beaconing. Attackers frequently use HTTPS on port 443 to blend with normal web traffic, while the TIME_WAIT state indicates brief, periodic connections rather than sustained data transfer—exactly the pattern of a beacon checking in with its controller. On the CHFI exam, this question tests your ability to identify C2 beaconing from netstat output, a critical skill for a first responder; a common trap is dismissing TIME_WAIT as benign, but in forensic context, it often signals the end of a short command-and-control exchange. Remember the mnemonic: “High port, HTTPS, TIME_WAIT—think beacon, not data freight.”

CHFI Incident Response and First Responder Skills Practice Question

This CHFI practice question tests your understanding of incident response and first responder skills. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Refer to the exhibit.

Exhibit:
C:\> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.10:49152     10.0.0.5:80            ESTABLISHED     3342
  TCP    192.168.1.10:49153     203.0.113.50:443       TIME_WAIT       1204
  TCP    192.168.1.10:49154     192.168.1.1:53         TIME_WAIT       2016
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1056
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       668
  UDP    0.0.0.0:123            *:*                                    888
  UDP    0.0.0.0:1900           *:*                                    4320

Refer to the exhibit. A first responder runs netstat -ano on a Windows system. Which connection is MOST likely indicative of a potential C2 communication?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "first"

    Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Full question →

Exhibit

Refer to the exhibit.

Exhibit:
C:\> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.10:49152     10.0.0.5:80            ESTABLISHED     3342
  TCP    192.168.1.10:49153     203.0.113.50:443       TIME_WAIT       1204
  TCP    192.168.1.10:49154     192.168.1.1:53         TIME_WAIT       2016
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1056
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       668
  UDP    0.0.0.0:123            *:*                                    888
  UDP    0.0.0.0:1900           *:*                                    4320

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

TCP 192.168.1.10:49153 to 203.0.113.50:443 TIME_WAIT PID 1204

Option C is correct because the connection from a high ephemeral port (49153) to an external IP (203.0.113.50) over HTTPS (port 443) with a short-lived TIME_WAIT state is a classic indicator of potential C2 beaconing. C2 communications often use HTTPS to blend with legitimate traffic, and the TIME_WAIT state suggests brief, periodic connections typical of beaconing, rather than sustained data transfer. The external IP is also in a documentation/test range (203.0.113.0/24), which is commonly used for examples but in a real scenario would be suspicious as an unknown external destination.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • TCP 0.0.0.0:3389 LISTENING PID 668

    Why it's wrong here

    RDP listening is normal for remote administration.

  • TCP 192.168.1.10:49154 to 192.168.1.1:53 TIME_WAIT PID 2016

    Why it's wrong here

    This is a DNS query, normal network activity.

  • TCP 192.168.1.10:49153 to 203.0.113.50:443 TIME_WAIT PID 1204

    Why this is correct

    The foreign IP is external and the PID is not a standard Windows process; TIME_WAIT may indicate recent C2 communication.

    Clue confirmation

    The clue words "first", "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • TCP 192.168.1.10:49152 to 10.0.0.5:80 ESTABLISHED PID 3342

    Why it's wrong here

    This is a typical HTTP connection to an internal server.

Common exam traps

Common exam trap: answer the scenario, not the keyword

EC-Council often tests the misconception that any ESTABLISHED connection is suspicious, but here the trap is that TIME_WAIT to an external HTTPS port is more indicative of C2 beaconing than an ESTABLISHED connection to an internal HTTP server.

Detailed technical explanation

How to think about this question

C2 beacons often use HTTPS (port 443) to evade detection by mimicking normal web traffic, and the TIME_WAIT state (RFC 793) indicates the connection was closed by the client after a short exchange, which is typical for beacon intervals. The netstat -ano command shows the owning PID, which can be cross-referenced with Task Manager to identify the process; in an incident response, a suspicious PID with an unknown executable path would further confirm C2. Real-world C2 frameworks like Cobalt Strike frequently use HTTPS with jittered sleep intervals, resulting in many TIME_WAIT connections to external IPs.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CHFI practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CHFI practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CHFI question test?

Incident Response and First Responder Skills — This question tests Incident Response and First Responder Skills — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: TCP 192.168.1.10:49153 to 203.0.113.50:443 TIME_WAIT PID 1204 — Option C is correct because the connection from a high ephemeral port (49153) to an external IP (203.0.113.50) over HTTPS (port 443) with a short-lived TIME_WAIT state is a classic indicator of potential C2 beaconing. C2 communications often use HTTPS to blend with legitimate traffic, and the TIME_WAIT state suggests brief, periodic connections typical of beaconing, rather than sustained data transfer. The external IP is also in a documentation/test range (203.0.113.0/24), which is commonly used for examples but in a real scenario would be suspicious as an unknown external destination.

What should I do if I get this CHFI question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "first", "most likely". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on CHFI

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Refer to the exhibit. During incident response, a first responder runs 'netstat -ano' on a compromised Windows system. Which connection is most likely to be the command-and-control (C2) channel and should be prioritized for isolation?

easy
  • A.192.168.1.100:1045 to 203.0.113.5:4444 (ESTABLISHED)
  • B.192.168.1.100:1047 to 10.0.0.1:22 (ESTABLISHED)
  • C.192.168.1.100:1046 to 192.168.1.1:443 (ESTABLISHED)
  • D.192.168.1.100:1048 to 198.51.100.7:80 (TIME_WAIT)

Why A: Option A shows an established connection from the internal host (192.168.1.100) to an external IP (203.0.113.5) on TCP port 4444, which is commonly associated with Metasploit reverse shells and other C2 frameworks. The ESTABLISHED state indicates an active, ongoing session, making it the highest priority for isolation during incident response.

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CHFI practice question is part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CHFI exam.