During a forensic review of a compromised CentOS web server, the incident-response team extracts several artifacts that could be shared as threat-intelligence. Which item is the most appropriate high-fidelity host-based indicator of compromise that other organizations can safely use to detect the same malware on their own Linux systems?
The server's public IPv4 address during the attack
The SHA-256 hash of the malicious ELF binary found in /usr/local/bin
The timestamp of the first failed SSH login in /var/log/secure
The process ID the malware used while it was running
File-hash values (MD5, SHA-1, SHA-256, etc.) are considered high-confidence host-based IoCs because a cryptographic hash uniquely identifies a specific file across every host. Sharing the SHA-256 hash of the back-door executable lets security tools on other machines search for an exact match, even if the malware is renamed or placed in a different directory. A process ID, an external IP address, or a single timestamp are environment-specific, volatile, and therefore unreliable as portable IoCs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is a SHA-256 hash better than a process ID for detecting malware?
Open an interactive chat with Bash
What are some other uses of file hashes like SHA-256 in cybersecurity?
Open an interactive chat with Bash
How does a cryptographic hash like SHA-256 ensure uniqueness and security?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access