Which indicators would suggest Command-and-Control (C2) activity in network traffic?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Prepare for the Security Operations Exam with targeted practice questions. Enhance your understanding with detailed explanations and tips to successfully pass your exam!

Multiple Choice

Which indicators would suggest Command-and-Control (C2) activity in network traffic?

Explanation:
Beaconing patterns in traffic—where a compromised host checks in with a remote controller at regular, periodic intervals—and DNS query anomalies are classic signs of Command-and-Control activity. The regular beaconing shows an automated beacon to a distant server, which is how an attacker maintains control over the compromised host. DNS anomalies strengthen this indication because many C2 setups use DNS as a covert channel, sending unusual or high-frequency DNS requests, or lookups to suspicious or generated domains to carry instructions or exfiltrate data without obvious HTTP traffic. Together, these patterns point to a controlled channel rather than normal user activity. Regular user authentication attempts can occur in legitimate scenarios and don’t necessarily indicate a C2 channel. High volume inbound web traffic from trusted domains can be legitimate for services like content delivery or partner access, not typically C2. Isolated internal traffic with no external connections suggests no external control channel, which argues against C2 activity.

Beaconing patterns in traffic—where a compromised host checks in with a remote controller at regular, periodic intervals—and DNS query anomalies are classic signs of Command-and-Control activity. The regular beaconing shows an automated beacon to a distant server, which is how an attacker maintains control over the compromised host. DNS anomalies strengthen this indication because many C2 setups use DNS as a covert channel, sending unusual or high-frequency DNS requests, or lookups to suspicious or generated domains to carry instructions or exfiltrate data without obvious HTTP traffic. Together, these patterns point to a controlled channel rather than normal user activity.

Regular user authentication attempts can occur in legitimate scenarios and don’t necessarily indicate a C2 channel. High volume inbound web traffic from trusted domains can be legitimate for services like content delivery or partner access, not typically C2. Isolated internal traffic with no external connections suggests no external control channel, which argues against C2 activity.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy