TimSaysICan Training - CySA+ PBQ

CySA+ PBQ: Cybersecurity Investigation

Correlate command output, process IDs, and suspicious network behavior.

Back to Training Portal

Scenario

An analyst is reviewing Windows command output from a workstation. One tab shows active TCP connections with process IDs. Another tab shows process names, PIDs, session data, and memory usage. A suspicious external web connection must be tied back to the responsible process.

Your task: Review the evidence and select the best analyst response for each field.
EvidenceDetails
Tab 1 fieldsProtocol, local address, foreign address, state, PID, executable
Suspicious PID1916 connected to 47.31.32.101:80
Tab 2 fieldsImage Name, PID, Session Name, Session#, Memory Usage

Analyst Decisions

Instructor Answer