CompTIA Security+ (SY0-501) — Question 8

A security analyst is diagnosing an incident in which a system was compromised from an external IP address. The socket identified on the firewall was traced to
207.46.130.0:6666. Which of the following should the security analyst do to determine if the compromised system still has an active connection?

Answer options

• A. tracert
• B. netstat
• C. ping
• D. nslookup

Correct answer: B

Explanation

The correct answer is B, netstat, which displays active connections and listening ports, making it ideal for checking if a compromised system is still connected. The other options do not provide the necessary information: A (tracert) traces the route to an IP, C (ping) checks connectivity, and D (nslookup) resolves domain names to IP addresses.