An analyst notices there is an internal device sending https - CompTIA CySA+ CSO-003

The correct answer is: A. Beaconing

This is the correct answer because beaconing refers to a situation where a device, often compromised, regularly sends network traffic to a remote server, typically to a known-malicious IP address. The additional characters in the header could be part of the communication used by malware to establish and maintain contact with a command-and-control (C&C) server. The regular, unusual traffic from an internal device to a foreign malicious IP is characteristic of beaconing, where the device "checks in" or sends signals to the attacker-controlled server.

Why the Other Options Are Incorrect:

Cross-site scripting

• This is incorrect because cross-site scripting (XSS) is a vulnerability in web applications where an attacker injects malicious scripts into webpages viewed by other users. It involves injecting malicious JavaScript into the web page, typically in a user input field, which can then be executed in another user’s browser. The scenario described involves internal device traffic, not web application vulnerabilities.

Buffer overflow

• This is incorrect because a buffer overflow occurs when more data is written to a buffer than it can hold, causing adjacent memory to be overwritten. While this could be a method used by an attacker to exploit a system, it does not specifically describe the scenario where an internal device sends HTTPS traffic with additional characters in the header to a malicious IP. Buffer overflows are generally related to software vulnerabilities, not unusual network traffic patterns.

PHP traversal

• This is incorrect because PHP traversal (also known as directory traversal) is an attack that exploits vulnerabilities in web servers or applications running PHP to access files and directories outside of the intended directory. The issue described in the question involves network traffic, not file or directory access in a web application.