HOTSPOT An organization has noticed large amounts of data are being sent out of its network. An analyst is identifying the cause of the data exfiltration. INSTRUCTIONS Select the command that generated the output in tabs 1 and 2. Review the output text in all tabs and identify the file responsible for the malicious behavior. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_239_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_240_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_241_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_242_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_243_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_244_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_245_img_1.jpg

Makes sense, the file triggering it is cmd.exe.

Question 19 - CompTIA (CYSA+) Analyst+ CS0-003 Real Exam Questions [Jan 2026 Update]

Q: 19

HOTSPOT An organization has noticed large amounts of data are being sent out of its network. An analyst is identifying the cause of the data exfiltration. INSTRUCTIONS Select the command that generated the output in tabs 1 and 2. Review the output text in all tabs and identify the file responsible for the malicious behavior. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Your Answer

Correct Answer:

PART 1: SELECT THE COMMAND THAT GENERATED THE OUTPUT IN TAB 1

CORRECT ANSWER: GET-CHILDITEM | GET-FILEHASH -ALGORITHM MD5
EXPLANATION: THE OUTPUT IN TAB 1 DISPLAYS A LIST OF FILES AND THEIR CORRESPONDING MD5 HASH VALUES. IN WINDOWS POWERSHELL, THE GET-CHILDITEM CMDLET GETS THE ITEMS IN A SPECIFIED LOCATION (IN THIS CASE, THE CURRENT DIRECTORY), AND THE PIPE | SENDS THAT OUTPUT TO THE GET-FILEHASH CMDLET. THE -ALGORITHM MD5 PARAMETER SPECIFIES THAT THE MD5 HASHING ALGORITHM SHOULD BE USED. THE RESULTING OUTPUT FORMAT PERFECTLY MATCHES WHAT IS SHOWN IN TAB 1.

PART 2: SELECT THE COMMAND THAT GENERATED THE OUTPUT IN TAB 2

CORRECT ANSWER: NETSTAT -BO
EXPLANATION: THE OUTPUT IN TAB 2 SHOWS ACTIVE TCP CONNECTIONS, INCLUDING LOCAL AND FOREIGN ADDRESSES, STATE, AND THE PROCESS ID (PID). CRITICALLY, IT ALSO LISTS THE EXECUTABLE FILE NAME (E.G., [SFTP.EXE]) BELOW EACH RELEVANT CONNECTION. THE NETSTAT COMMAND IS USED TO DISPLAY NETWORK CONNECTIONS. THE -B SWITCH DISPLAYS THE EXECUTABLE INVOLVED IN CREATING EACH CONNECTION, AND THE -O SWITCH DISPLAYS THE OWNING PROCESS ID. THE COMBINATION NETSTAT -BO PRODUCES THE EXACT FORMAT SEEN IN TAB 2.

PART 3: IDENTIFY THE FILE RESPONSIBLE FOR THE MALICIOUS BEHAVIOR

CORRECT ANSWER: CMD.EXE

Explanation

The output in Tab 1 displays a list of files and their corresponding MD5 hash values. In Windows PowerShell, the Get-ChildItem cmdlet gets the items in a specified location (in this case, the current directory), and the pipe | sends that output to the Get-Filehash cmdlet. The -Algorithm MD5 parameter specifies that the MD5 hashing algorithm should be used. The resulting output format perfectly matches what is shown in Tab 1.

The output in Tab 2 shows active TCP connections, including local and foreign addresses, state, and the process ID (PID). Critically, it also lists the executable file name (e.g., [sftp.exe]) below each relevant connection. The netstat command is used to display network connections. The -b switch displays the executable involved in creating each connection, and the -o switch displays the owning process ID. The combination netstat -bo produces the exact format seen in Tab 2.

To identify the malicious file, we must correlate information from all tabs.

File Integrity Check: First, compare the current file hashes from Tab 1 with the known-good baseline hashes from Tab 4. The MD5 hash for cmd.exe in Tab 1 (372ab...) does not match the baseline hash in Tab 4 (a2cde...). This indicates the cmd.exe file has been modified or replaced.

Network Activity Analysis: Next, examine the network connections in Tab 2. The modified cmd.exe file is shown to have an established outbound connection to 192.168.10.37:http. The Windows Command Prompt (cmd.exe) should not be making persistent outbound network connections, making this behavior highly suspicious and indicative of data exfiltration or command-and-control (C2) communication.

The combination of a failed integrity check (mismatched hash) and suspicious network activity makes cmd.exe the file responsible for the malicious behavior.

References

Microsoft. (2023). Get-FileHash. Microsoft Docs. Retrieved from docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash. (This official documentation describes the cmdlet used to generate the output in Tab 1.)

Microsoft. (2021). Netstat. Microsoft Docs. Retrieved from docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat. (This document details the netstat command and its parameters, such as -b and -o, which produce the output seen in Tab 2.)

Hogben, G., & Plohmann, D. (2016). Threat Landscape and Good Practice Guide for Smart Home and Converged Media. European Union Agency for Network and Information Security (ENISA). p. 28. (This report discusses how attackers replace legitimate system files, like cmd.exe, with malicious versions to establish persistence and create backdoors, aligning with the observed hash mismatch.)

Tanenbaum, A. S., & Wetherall, D. J. (2011). Computer Networks (5th ed.). Pearson Education. p. 657. (This textbook explains the TCP/IP protocol suite and connection states, providing the foundational knowledge to interpret netstat output and identify unusual established connections like an HTTP connection from cmd.exe.)

PART 1: SELECT THE COMMAND THAT GENERATED THE OUTPUT IN TAB 1

PART 2: SELECT THE COMMAND THAT GENERATED THE OUTPUT IN TAB 2

PART 3: IDENTIFY THE FILE RESPONSIBLE FOR THE MALICIOUS BEHAVIOR

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE