Text preview & study summary

Server+ PBQ Lab: HTTPS alerts following suspicious service-account logon

A free sample of 1 question from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

In this Server+ incident-response simulator, the learner investigates APP-SRV-02 after off-hours outbound HTTPS alerts appear following a suspicious service-account logon.

The lab requires the user to compare normal and abnormal server behavior, recognize that local host tools may be unreliable on a compromised system, preserve evidence before making destructive changes, and choose a containment plan that stops the threat without unnecessarily breaking application dependencies.

This is a hands-on troubleshooting and security-response PBQ built around process ownership, persistence, packet capture, service-account misuse, and evidence-safe remediation.

Explanation

The correct answer is to treat APP-SRV-02 as compromised and follow an evidence-preserving response sequence: collect volatile process evidence, use network-side packet capture, export the scheduled task and script hash, identify the hidden PowerShell activity running under QH\svc-appsync, block only the suspicious external TLS destination, disable persistence after preserving the artifact, stop the malicious process, rotate and update the service credential, remove excessive local administrator rights, and validate that application traffic returns to baseline. This is the only answer that resolves both the active symptom and the underlying cause without destroying important forensic evidence or causing unnecessary service disruption.

The key clue is the discrepancy between local host evidence and network-side evidence. Local tools such as tasklist and netstat do not show the suspicious PID or external connection, which means the learner should not blindly trust the compromised operating system to report on itself. The switch mirror and packet capture prove that APP-SRV-02 is communicating with an unapproved external destination, while the scheduled task, hidden PowerShell execution, and service-account permissions explain how the activity persisted and why the account abuse mattered.

The backup-agent option is wrong because BACKUP-01 traffic is expected and the backup warning is only noise. The update-allowlist option is wrong because the suspicious external IP is not the approved internal update endpoint, and allowlisting it would preserve the malicious path instead of removing it. The “trust local output” option is wrong because the lab intentionally shows that local process and connection views are incomplete; the correct investigation requires comparing host artifacts against network-side telemetry.

The immediate isolate/delete/reboot option is wrong because it may stop the symptom while destroying evidence. Killing the process, deleting the scheduled task, or rebooting too early weakens the forensic trail and can hide how the incident occurred. The broad block and service-account disablement option is also wrong because it breaks legitimate application dependencies instead of applying targeted containment. A clean Server+ response should preserve evidence, contain the specific suspicious traffic, remediate persistence and credential abuse, and then validate that the server is both safe and functional.