CompTIA CASP+ (CAS-004) — Question 235

A security engineer has been informed by the firewall team that a specific Windows workstation is part of a command-and-control network. The only information the security engineer is receiving is that the traffic is occurring on a non-standard port (TCP 40322). Which of the following commands should the security engineer use FIRST to find the malicious process?

Answer options

• A. tcpdump
• B. netstat
• C. tasklist
• D. traceroute
• E. ipconfig

Correct answer: B

Explanation

The correct command is netstat, as it displays active network connections and listening ports, allowing the engineer to identify any processes associated with the specified non-standard port. tcpdump is used for capturing network packets, tasklist shows running processes but not their network connections, traceroute maps the route to a network host, and ipconfig displays network configuration, none of which directly help in finding the malicious process on the specified port.