CompTIA CySA+ (CS0-001) — Question 5

A security analyst is performing a forensic analysis on a machine that was the subject of some historic SIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies of svchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which of the following threats has the security analyst uncovered?

Answer options

• A. DDoS
• B. APT
• C. Ransomware
• D. Software vulnerability

Correct answer: B

Explanation

The presence of SSL connections on non-standard ports, along with suspicious instances of svchost.exe and cmd.exe in the %TEMP% folder, indicates a potential Advanced Persistent Threat (APT) which often involves stealthy and prolonged unauthorized access. Other options like DDoS and ransomware do not directly correlate with the forensic evidence observed, while software vulnerabilities do not specifically explain the noted behaviors.