Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca CCOA Exam - Topic 1 Question 9 Discussion

Actual exam question for Isaca's CCOA exam
Question #: 9
Topic #: 1
[All CCOA Questions]

SIMULATION

The network team has provided a PCAP file with suspicious activity located in the Investigations folder on the Desktop titled, investigation22.pcap.

What date was the webshell accessed? Enter the format as YYYY-MM-DD.

Show Suggested Answer Hide Answer
Suggested Answer: A

To determine the date the webshell was accessed from the investigation22.pcap file, follow these detailed steps:

Step 1: Access the PCAP File

Log into the Analyst Desktop.

Navigate to the Investigations folder on the desktop.

Locate the file:

investigation22.pcap

Step 2: Open the PCAP File in Wireshark

Launch Wireshark.

Open the PCAP file:

mathematica

File > Open > Desktop > Investigations > investigation22.pcap

Click Open to load the file.

Step 3: Filter for Webshell Traffic

Since webshells typically use HTTP/S to communicate, apply a filter:

http.request or http.response

Alternatively, if you know the IP of the compromised host (e.g., 10.10.44.200), use:

nginx

http and ip.addr == 10.10.44.200

Press Enter to apply the filter.

Step 4: Identify Webshell Activity

Look for HTTP requests that include:

Common Webshell Filenames: shell.jsp, cmd.php, backdoor.aspx, etc.

Suspicious HTTP Methods: Mainly POST or GET.

Right-click a suspicious packet and choose:

arduino

Follow > HTTP Stream

Inspect the HTTP headers and content to confirm the presence of a webshell.

Step 5: Extract the Access Date

Look at the HTTP request/response header.

Find the Date field or Timestamp of the packet:

Wireshark displays timestamps on the left by default.

Confirm the HTTP stream includes commands or uploads to the webshell.

Example HTTP Stream:

POST /uploads/shell.jsp HTTP/1.1

Host: 10.10.44.200

User-Agent: Mozilla/5.0

Date: Mon, 2024-03-18 14:35:22 GMT

Step 6: Verify the Correct Date

Double-check other HTTP requests or responses related to the webshell.

Make sure the date field is consistent across multiple requests to the same file.

Answe r:

2024-03-18

Step 7: Document the Finding

Date of Access: 2024-03-18

Filename: shell.jsp (as identified earlier)

Compromised Host: 10.10.44.200

Method of Access: HTTP POST

Step 8: Next Steps

Isolate the Affected Host:

Remove the compromised server from the network.

Remove the Webshell:

rm /path/to/webshell/shell.jsp

Analyze Web Server Logs:

Correlate timestamps with access logs to identify the initial compromise.

Implement WAF Rules:

Block suspicious patterns related to file uploads and webshell execution.


by Judy at Jul 13, 2025, 04:40 PM

Limited Time Offer

25%

Off

Get Premium CCOA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Latrice
5 months ago
Just a reminder, always verify the timestamps in PCAP files!
upvoted 0 times
...
Kayleigh
5 months ago
I double-checked, it’s definitely 2023-10-15.
upvoted 0 times
...
Lettie
5 months ago
Wait, are we sure about that date? Seems off to me.
upvoted 0 times
...
Sanjuana
6 months ago
The webshell was accessed on 2023-10-15.
upvoted 0 times
...
Rory
6 months ago
Totally agree, that date matches the logs!
upvoted 0 times
...
Yolande
6 months ago
I recall that we need to look for specific patterns in the traffic, but I hope I remember the right filters to apply.
upvoted 0 times
...
Margret
6 months ago
I feel like the date might be in the packet details, but I’m a bit confused about how to extract it correctly.
upvoted 0 times
...
Bernardine
7 months ago
I think we had a similar question in our last mock exam where we had to find timestamps in a PCAP. I should check the HTTP requests.
upvoted 0 times
...
Corrinne
7 months ago
I remember we practiced analyzing PCAP files, but I’m not sure how to pinpoint the exact date of the webshell access.
upvoted 0 times
...
Tamra
7 months ago
This is a tricky one, but I think I've got a strategy. I'll start by filtering the PCAP for any HTTP traffic, then look for any suspicious requests or responses that might indicate the webshell access. Fingers crossed!
upvoted 0 times
...
Annamae
7 months ago
Alright, time to put on my detective hat. The key is going to be finding the timestamp of the webshell access. I'll comb through the PCAP file and see if I can pinpoint that date.
upvoted 0 times
...
Na
7 months ago
Wait, what's a webshell again? I'm a little fuzzy on the details here. I'll need to review my notes on incident response and network forensics before I dive into this.
upvoted 0 times
...
Francoise
8 months ago
Okay, let's do this! I'm feeling confident about my packet analysis skills. I'll start by looking for any suspicious HTTP traffic that might indicate the webshell access.
upvoted 0 times
...
Willis
8 months ago
Hmm, this looks like it's going to require some packet analysis. I'll need to open the PCAP file and see if I can find any signs of the webshell access.
upvoted 0 times
...
Leota
10 months ago
Ah, the joys of cybersecurity - combing through network traffic to uncover the truth. Where's my magnifying glass?
upvoted 0 times
...
Justine
10 months ago
Wait, we have a PCAP file? This is my time to shine! Let's see what juicy details we can uncover.
upvoted 0 times
Amina
9 months ago
Let's open the PCAP file and see what we can find.
upvoted 0 times
...
...
Adolph
10 months ago
I agree with Venita, based on the network traffic patterns, it seems more likely that the webshell was accessed on 2021-07-16.
upvoted 0 times
...
Delsie
10 months ago
2023-04-20? That's my best guess, but I'm just shooting in the dark here.
upvoted 0 times
Brett
9 months ago
Let's take a look at the investigation22.pcap file to find out the exact date.
upvoted 0 times
...
Jaime
10 months ago
I'm not sure, maybe we should check the PCAP file to confirm.
upvoted 0 times
...
Beata
10 months ago
I think it was accessed on 2023-04-20.
upvoted 0 times
...
...
Zoila
10 months ago
I'm not sure about the date, but I think we should analyze the PCAP file further to confirm.
upvoted 0 times
...
Krystal
10 months ago
Hmm, looks like we need to dig into that PCAP file to find the date the webshell was accessed. Time to put on my detective hat!
upvoted 0 times
Bambi
10 months ago
I think we should start by filtering for the webshell activity to find the date.
upvoted 0 times
...
Corinne
10 months ago
Let's open the PCAP file and analyze the network traffic.
upvoted 0 times
...
...
Venita
10 months ago
I disagree, I believe it was accessed on 2021-07-16.
upvoted 0 times
...
Dortha
10 months ago
I think the webshell was accessed on 2021-07-15.
upvoted 0 times
...

Save Cancel