OBJECTIVE 2.4 Given a scenario (PBQ-likely)
Analyze indicators of malicious activity
This is the broadest PBQ objective on the exam. “Given a scenario” means you’ll be presented with evidence — logs, packet captures, system behavior, error messages — and asked to identify what attack is occurring and what indicators reveal it.
Malware Attacks
Ransomware
Encrypts victim’s files and demands payment for the decryption key.
- Indicators: Encrypted files with new extensions (.locked, .crypto), ransom note files in every directory, unusual encryption process consuming CPUCentral Processing Unit — Main processor in a computer/disk, C2Command and Control — Infrastructure attackers use to manage compromised systems beaconing before encryption begins
- Variants: Crypto-ransomware (encrypts files), locker ransomware (locks the system), double extortion (encrypts + threatens data leak)
Trojans
Malware disguised as legitimate software. Requires user action to install.
- Indicators: Unknown processes with network connections, software performing actions beyond its stated purpose, unexpected outbound connections
- RATRemote Access Trojan — Malware providing remote control of a system (Remote Access Trojan): Provides attacker with remote control — webcam, keylogging, file access, shell access
Worms
Self-replicating malware that spreads across networks without user interaction.
- Indicators: Rapid network traffic spikes, identical processes appearing across multiple systems, bandwidth saturation, mass connection attempts on specific ports
Spyware
Collects information without the user’s knowledge.
- Indicators: Unexpected data exfiltration, microphone/camera activation, browser redirects, new toolbars or extensions, degraded system performance
- State-level: Zero-click spyware (Pegasus-style) leaves minimal visible indicators — detection requires mobile forensic tools, anomalous network behavior analysis, or compromised process analysis
Keyloggers
Records keystrokes to capture credentials, messages, and sensitive data.
- Software: Process monitoring reveals unknown input hooks. Often bundled with other malware.
- Hardware: Physical device between keyboard and computer. Requires physical inspection.
Logic Bombs
Malicious code that triggers on a specific condition (date, event, account deletion).
- Indicators: Dormant code discovered during code review, scheduled tasks with destructive payloads, insider threat pattern (often planted by disgruntled employees)
Rootkits
Malware that hides deep in the system to maintain persistent, undetected access.
- Kernel-level: Modifies the OSOperating System — System software managing hardware and applications kernel. Invisible to standard antivirus.
- Bootkit: Infects the boot process. Loads before the OSOperating System — System software managing hardware and applications.
- Indicators: Discrepancies between tools — one tool shows a process/file that another doesn’t. Cross-referencing raw disk reads against OSOperating System — System software managing hardware and applications file listings.
- Detection: Boot from trusted media and scan, integrity checking, behavior-based detection
Bloatware
Pre-installed software on devices that may collect data or introduce vulnerabilities.
- Not always malicious but increases attack surface and may include tracking functionality
Network Attacks
DDoS (Distributed Denial of Service)
Overwhelming a target with traffic from multiple sources.
- Volumetric: Flood bandwidth (UDPUser Datagram Protocol — Fast, connectionless transport flood, DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses amplification, NTPNetwork Time Protocol — Port 123 (UDP). Synchronizes clocks across a network amplification)
- Protocol: Exploit protocol weaknesses (SYN flood — filling the connection state table)
- Application: Target specific services (HTTPHypertext Transfer Protocol — Port 80. Web protocol (unencrypted) GET/POST floods, Slowloris)
- Indicators: Sudden traffic spike from many sources, service unavailability, source IPs from botnets, asymmetric traffic patterns
DNS Attacks
- DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses poisoning/spoofing: Injecting false DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses records to redirect traffic
- DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses tunneling: Encoding data in DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses queries to exfiltrate data or establish C2Command and Control — Infrastructure attackers use to manage compromised systems through DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses traffic (bypasses many firewalls)
- Indicators: Unusually long DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses queries, high query volume to unknown domains, DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses responses that don’t match legitimate records
On-Path (Man-in-the-Middle)
Attacker positions themselves between two communicating parties.
- ARPAddress Resolution Protocol — Maps IP addresses to MAC addresses poisoning: Associating attacker’s MACMandatory Access Control — System-enforced access based on security labels with the gateway’s IPInternet Protocol — Network layer addressing and routing on the local network
- SSLSecure Sockets Layer — Deprecated predecessor to TLS/TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit stripping: Downgrading HTTPSHypertext Transfer Protocol Secure — Port 443. HTTP encrypted with TLS to HTTPHypertext Transfer Protocol — Port 80. Web protocol (unencrypted)
- Indicators: Duplicate MACMandatory Access Control — System-enforced access based on security labels addresses, ARPAddress Resolution Protocol — Maps IP addresses to MAC addresses table anomalies, certificate warnings, unexpected network latency
Credential Replay
Capturing and reusing valid authentication tokens or hashes.
- Pass-the-hash: Using captured NTLMNT LAN Manager — Legacy Windows authentication protocol hashes without cracking the password
- Session hijacking: Stealing session cookies to impersonate authenticated users
- Indicators: Same credentials used from different IPs/locations, authentication without preceding login sequence
Wireless Attacks
- Evil twin: Rogue APAccess Point — Device providing wireless network connectivity with legitimate SSIDService Set Identifier — Wireless network name
- Deauth: Forcing clients off the network to capture reconnection handshakes
- Indicators: Multiple APs with same SSIDService Set Identifier — Wireless network name, unexpected deauthentication frames, client connection instability
Application Attacks
Injection
Covered in 2.3 — SQLStructured Query Language — Language for database queries injection, command injection, LDAPLightweight Directory Access Protocol — Port 389. Protocol for accessing directory services injection, XMLExtensible Markup Language — Markup language for structured data exchange injection.
- Indicators: Unusual characters in logs (single quotes, semicolons, angle brackets), application errors referencing database syntax, unauthorized data access
Buffer Overflow
Program writes data beyond allocated memory boundaries.
- Indicators: Application crashes with memory corruption errors, segfault logs, unusual process behavior after crash (process continues running with elevated privileges = successful exploitation)
Replay Attacks
Capturing valid data transmission and retransmitting it.
- Indicators: Duplicate transactions, authentication events with identical timestamps/tokens, unexpected repeated actions
Directory Traversal
Accessing files outside the intended directory using path manipulation (../../etc/passwd).
- Indicators: Log entries containing
../, unauthorized access to system files, file access outside the web root
Privilege Escalation
- Indicators: User performing actions beyond their role, sudo/admin events from standard accounts, unexpected group membership changes
Cryptographic Attacks
Downgrade Attack
Forcing a system to use a weaker cryptographic protocol or cipher.
- Attacker intercepts negotiation and manipulates options (e.g., forcing TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit 1.0 instead of 1.3)
- Indicators: Connection using deprecated protocols when stronger options are available
Collision Attack
Finding two different inputs that produce the same hash.
- Relevant to MD5Message Digest 5 — Broken hash algorithm, do not use for security and SHASecure Hash Algorithm — Family of hash functions (SHA-1, SHA-256, SHA-3)-1 (both vulnerable)
- Used to forge digital signatures or certificates
Birthday Attack
Exploiting the mathematics of hash collisions — with enough attempts, collisions become likely faster than brute force.
Password Attacks
Brute Force
Trying every possible combination until the correct password is found.
- Indicators: High volume of failed authentication attempts from a single source, account lockouts
Password Spraying
Trying a small number of common passwords against many accounts.
- Avoids lockout thresholds by limiting attempts per account
- Indicators: Failed logins across many accounts within a short time frame, using common passwords
Dictionary Attack
Using a list of common passwords and words.
- Faster than brute force but limited to dictionary contents
Credential Stuffing
Using breached credentials from other sites against new targets.
- Exploits password reuse — why unique passwords matter
- Indicators: Successful logins from unusual locations using known-breached credentials
Indicator Recognition
These behavioral anomalies signal something is wrong even before you identify the specific attack:
| Indicator | What it suggests |
|---|---|
| Account lockout | Brute force or password spraying |
| Concurrent session usage | Credential compromise, session hijacking |
| Impossible travel | Login from NYC, then London 10 minutes later = compromised credentials |
| Missing logs | Attacker covering tracks, log tampering |
| Resource consumption | Cryptomining, DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources participation, data exfiltration |
| Out-of-cycle logging | Processes running at unusual times |
| Blocked content | Malware attempting connections being stopped by controls |
| Resource inaccessibility | Ransomware, DoSDenial of Service — Attack making a resource unavailable, or destructive attack |
Attack Identification Decision Tree
When the exam presents indicators and asks “what attack is occurring?”, use this decision logic:
Network-Layer Indicators
| You See… | The Attack Is… |
|---|---|
| Traffic spike from thousands of sources, service unavailable | DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources (volumetric) |
| SYN packets without completing handshake, connection table full | SYN flood (DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources protocol) |
| Slow HTTPHypertext Transfer Protocol — Port 80. Web protocol (unencrypted) connections held open, low bandwidth but server overwhelmed | Slowloris (DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources application) |
| Unusually long DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses queries with encoded data in subdomain labels | DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses tunneling (exfiltration/C2Command and Control — Infrastructure attackers use to manage compromised systems) |
| DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses responses pointing to wrong IPs | DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses poisoning/spoofing |
| Duplicate MACMandatory Access Control — System-enforced access based on security labels addresses on the network, ARPAddress Resolution Protocol — Maps IP addresses to MAC addresses table anomalies | ARPAddress Resolution Protocol — Maps IP addresses to MAC addresses poisoning (on-path attack) |
| Regular outbound connections at fixed intervals to same external IPInternet Protocol — Network layer addressing and routing | C2Command and Control — Infrastructure attackers use to manage compromised systems beaconing |
| Certificate warnings on previously-trusted sites | SSLSecure Sockets Layer — Deprecated predecessor to TLS stripping / on-path |
Host-Level Indicators
| You See… | The Attack Is… |
|---|---|
| Files encrypted with new extensions, ransom note present | Ransomware |
| Unknown process spawning cmd.exe/PowerShell, writing to temp dirs | Trojan / RATRemote Access Trojan — Malware providing remote control of a system |
| Same malicious process appearing across many hosts rapidly | Worm |
| Discrepancy between tools — one shows a file/process that another doesn’t | Rootkit |
| Keystrokes being captured, credentials exfiltrated | Keylogger |
| Destructive action triggered by specific date or event | Logic bomb |
| Application crash with memory corruption, process continues with elevated privilege | Buffer overflow (successful) |
Application-Level Indicators
| You See… | The Attack Is… |
|---|---|
Single quotes, OR 1=1, UNION SELECT in logs | SQLStructured Query Language — Language for database queries injection |
<script> tags, encoded JavaScript in input fields | XSSCross-Site Scripting — Injection of malicious scripts into web pages |
../../etc/passwd or ..\..\windows\system32 in URLs | Directory traversal |
| User action performed without user’s knowledge while authenticated | CSRFCross-Site Request Forgery — Tricking users into submitting unintended requests |
| Server making requests to internal IPs (169.254.169.254) | SSRFServer-Side Request Forgery — Tricking server into making requests to internal resources |
| Login failures across many accounts, few per account | Password spraying |
| Login failures on one account, many attempts | Brute force |
| Successful logins using credentials from known breach databases | Credential stuffing |
| Same session token used from two different IPs | Session hijacking / credential replay |
| Login from NYC, then London 10 minutes later | Impossible travel (compromised credentials) |
Process for Exam PBQs
- Read all the evidence before answering — don’t jump at the first indicator
- Correlate across sources — network + host + application together tell a fuller story
- Timeline matters — sequence of events reveals the attack chain (recon → exploitation → lateral movement → exfiltration)
- Look for the IOCIndicator of Compromise — Evidence that a security breach has occurred CompTIA is testing — they usually give you one strong indicator and several distractors
Offensive Context
Buffer overflow indicators make sense when you understand what a crash log with a corrupted RIP actually means — padding through the buffer, overwriting the saved frame pointer, hijacking the return address. Network attack patterns are the defensive mirror of protocol-level interception. Every indicator on this list is the forensic residue of a specific offensive technique. The better you understand the technique, the faster you recognize the indicator.