🦠

Analyzing CompTIA Security+ Infection Origin

Apr 23, 2025

CompTIA Security+ Performance-Based Question Analysis

Introduction

  • The lecture revolves around a specific CompTIA Security+ performance-based question.
  • Initial assumption: Easy to solve, but extensive research revealed complexity.
  • Aim: To determine which host on a network originated a potential infection and which are clean.

Network Structure

  • Networks:
    • Research and Development Network
    • Engineering Network
  • Hosts with IPs (e.g., 192.168.11.22)
  • Firewall with separate logs

Question Task

  • Examine logs from each host and firewall.
  • Determine the origin of infection and identify clean or infected hosts.

Log Analysis Process

  1. Machine 222:

    • Scheduled scans noted.
    • Warning of scan and update disabled by SVC host 0 at 2:31 AM on the 18th.
    • Marked as infected due to suspicious activity.

  2. Machine 37:

    • Logs show scan initialization and updates.
    • Malware SVC host quarantined on the 18th at 2:37 PM.
    • Marked as clean after successful quarantine.

  3. Machine 41:

    • Failed to reach update server; suspicious.
    • Unable to quarantine SVC host despite heuristic match.
    • Marked as infected.

  4. Machine 12:

    • Similar log pattern to Machine 37.
    • Successfully quarantined malware on the 18th.
    • Marked as clean.

  5. Machine 18:

    • Unable to reach update server.
    • Failed to quarantine SVC host.
    • Marked as infected.

Firewall Log Analysis

  • IP Address Types:
    • Internal: 10.10.10.x, 192.168.11.x
    • External: 57.203.54.x (suspicious)
  • Large data transfers from certain machines to external IP.
  • Key Observations:
    • Machine 18 communicated first with the suspicious external IP.
    • Large data exfiltrated (9 GB) from Machine 18.
    • Multiple service patterns (RPC, SMB) and external communications noted.

Conclusion on Infection Origin

  • Strong case for Machine 18 being the originator due to:
    • Initial communication with external IP.
    • Large data transfer.
  • Other machines (e.g., 37, 41, 12) show patterns of infection but were either cleaned or not the origin.

Overall Assessment

  • Infected Hosts: 222, 41, 18
  • Clean Hosts (post-quarantine): 37, 12
  • Possible Origin: Machine 18

Conclusion

  • Analysis based on available logs.
  • The origin of infection is speculative without further data.
  • Encourages viewers to consider the findings and draw their conclusions.
  • Suggestions to engage further via comments or reviews on related questions.
  • Encouragement to like and subscribe for more content.
  • Invitation to explore additional questions on the channel.

Full transcript