CompTIA CASP+ (CAS-004) — Question 544
A systems administrator was given the following IOC to detect the presence of a malicious piece of software communicating with its command-and-control server:
POST /malicious.php -
User-Agent: Malicious Tool V 1.0
Host: www.malicious.com -
The IOC documentation suggests the URL is the only part that could change. Which of the following regular expressions would allow the systems administrator to determine if any of the company hosts are compromised, while reducing false positives?
Answer options
- A. User-Agent: Malicious Tool.*
- B. www\.malicious\.com\/malicious.php
- C. Post /malicious\.php
- D. Host: [a-z]*\.malicious\.com
- E. malicious.*
Correct answer: A
Explanation
The correct answer, A, captures the User-Agent string associated with the malicious tool, allowing for detection of the software irrespective of the URL. Options B and C focus too narrowly on the specific URL, which is subject to change, while D is not specific enough to the malicious User-Agent, and E is overly broad, potentially leading to numerous false positives.