Which detection identifies compromised hosts by tracking outbound connections and anomalies to locate a command and control server?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam with a comprehensive test featuring flashcards and multiple choice questions, each accompanied by hints and explanations to ensure a thorough understanding. Ace your ethical hacking exam with confidence!

Multiple Choice

Which detection identifies compromised hosts by tracking outbound connections and anomalies to locate a command and control server?

Explanation:
Detecting compromised hosts by tracking outbound connections and anomalies to locate a command and control server hinges on spotting the talking channel malware uses to receive instructions. In many infections, the compromised host reaches out to a remote C2 server—sometimes at regular beaconing intervals, sometimes via unusual ports, encrypted or obfuscated traffic, or destinations that don’t match normal user activity. By monitoring endpoint and network behavior for these signs—consistent, periodic outbound connections to suspicious domains or IPs, odd timing, unusual data volumes, or uncommon protocols—sec teams can flag machines that are under control of a C2 server and take action before broader damage occurs. Other signals are related to different stages or indicators of compromise. Web shells indicate a persistent access method on a web server, not the active detection of C2 communications from compromised hosts. IoCs are general artifacts of compromise (like known bad hashes or IPs) and don’t automatically reveal ongoing C2 traffic on a host. Data staging detection looks for preparation of data for exfiltration, not the command and control channel itself. So focusing on outbound C2 chatter directly targets the mechanism malware uses to receive commands, making it the best fit for detecting compromise via C2 activity.

Detecting compromised hosts by tracking outbound connections and anomalies to locate a command and control server hinges on spotting the talking channel malware uses to receive instructions. In many infections, the compromised host reaches out to a remote C2 server—sometimes at regular beaconing intervals, sometimes via unusual ports, encrypted or obfuscated traffic, or destinations that don’t match normal user activity. By monitoring endpoint and network behavior for these signs—consistent, periodic outbound connections to suspicious domains or IPs, odd timing, unusual data volumes, or uncommon protocols—sec teams can flag machines that are under control of a C2 server and take action before broader damage occurs.

Other signals are related to different stages or indicators of compromise. Web shells indicate a persistent access method on a web server, not the active detection of C2 communications from compromised hosts. IoCs are general artifacts of compromise (like known bad hashes or IPs) and don’t automatically reveal ongoing C2 traffic on a host. Data staging detection looks for preparation of data for exfiltration, not the command and control channel itself. So focusing on outbound C2 chatter directly targets the mechanism malware uses to receive commands, making it the best fit for detecting compromise via C2 activity.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy