Scenario
An analyst is reviewing Windows command output from a workstation. One tab shows active TCP connections with process IDs. Another tab shows process names, PIDs, session data, and memory usage. A suspicious external web connection must be tied back to the responsible process.
Your task: Review the evidence and select the best analyst response for each field.
| Evidence | Details |
|---|---|
| Tab 1 fields | Protocol, local address, foreign address, state, PID, executable |
| Suspicious PID | 1916 connected to 47.31.32.101:80 |
| Tab 2 fields | Image Name, PID, Session Name, Session#, Memory Usage |
Analyst Decisions
Instructor Answer
- netstat -bo shows active TCP connections with owning process IDs and executable names.
- tasklist shows Image Name, PID, session, and memory usage columns.
- PID 1916 maps to cmd.exe, and that same PID owns an external HTTP connection.
- A command shell making unexpected outbound connections is suspicious and should be investigated with containment and evidence preservation.