Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
2.4 Domain 2 · Threats, Vulnerabilities & Mitigations

Indicators of Malicious Activity

Analyze indicators across malware, physical, network, application, cryptographic, and password attacks — and separate noise from real compromise.

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

An indicator of compromise (IoC) is an observable artifact that suggests malicious activity. Security+ tests your ability to read an indicator — file extension changes, impossible travel, many failed logins on one account, a TLS session dropping to SSLv3 — and name the attack class. The exam does not ask you to reverse-engineer malware; it asks you to recognize the signature.

Six indicator families are tested: malware (ransomware, trojan, worm, spyware, bloatware, virus, keylogger, logic bomb, rootkit), physical (brute force, RFID cloning, environmental), network (DDoS, DNS attacks, wireless, on-path, credential replay, malicious code), application (injection, buffer overflow, replay, privilege escalation, forgery, directory traversal), cryptographic (downgrade, collision, birthday), and password (spraying vs. brute force). Plus generic IoCs: account lockouts, concurrent sessions, impossible travel, resource consumption, missing logs.

Malware indicators. Ransomware — new file extensions like .locked or .crypt, ransom notes on desktops, file-entropy spikes, shadow copies deleted, unusual internal SMB traffic. Trojan — legitimate-looking program that hides malicious function; beacons to command-and-control, unusual outbound connections, unexpected scheduled tasks. Worm — self-propagating; rapid increase in network scans, sequential hosts compromised, SMB/445 spikes. Spyware — keylogging, screen capture, hidden browser extensions. Bloatware — pre-installed unnecessary software; more nuisance than malware but widens attack surface. Virus — attaches to host files; file-integrity alerts, AV signatures firing on user files. Keylogger — captures keystrokes; data exfil to C2, suspicious input-API hooks. Logic bomb — triggers on a date or event; dormant code discovered in source or binary review. Rootkit — hides presence below the OS; kernel-mode drivers, mismatches between external scans and host-reported state, bootkit artifacts in MBR or UEFI.

Physical indicators. Brute force (physical) — broken locks, forced entry, tampered enclosures. RFID cloning — duplicate badge reads at implausible locations or times. Environmental — HVAC or power disruptions that knock equipment offline.

Network indicators. DDoS — amplified (small request, huge reflected response from DNS, NTP, or memcached) and reflected (spoofed source IP; flood lands on the victim). DNS attacks — hijacking or poisoning send users to wrong IPs, TTL changes, unexpected NS records. Wireless — rogue AP, deauthentication floods, evil twin with matching SSID. On-path (MITM) — TLS certificate mismatches, unexpected ARP changes, gateway MAC changes. Credential replay — the same session token used from two geolocations, re-authentication without login activity. Malicious code — scripts from non-standard paths, PowerShell with encoded commands, LOLBins (rundll32, mshta, regsvr32) spawning network connections.

Application indicators. Injection — error messages revealing DB schema, unexpected SQL in WAF logs, rows disappearing. Buffer overflow — application crashes with access violations, segmentation faults, unexpected memory addresses in logs. Replay — repeated identical requests with valid auth tokens. Privilege escalation — a user suddenly performing admin actions, new admin group members. Forgery — forged tokens or cookies, CSRF signatures with referer mismatches. Directory traversal../ patterns in URLs, file reads outside the web root.

Cryptographic indicators. Downgrade — TLS negotiations dropping to TLS 1.0 or SSLv3. Collision — two inputs producing the same hash (MD5 and SHA-1 weaknesses). Birthday — probabilistic hash collision; mostly theoretical but raises alarms if used against certificates.

Password indicators. Spraying — one password tried against many accounts; slow lockouts spread across the directory. Brute force — many passwords against one account; fast lockouts on a single account. Direction matters: spray is wide, brute is deep.

Generic IoCs. Account lockouts, concurrent session usage, impossible travel (login from two distant geos in minutes), blocked content, resource consumption spikes, resource inaccessibility, out-of-cycle logging, published/documented IoC matches, and missing logs (attackers often clear their tracks).

IndicatorAttack ClassKey Clue
Files renamed with .locked extension + ransom noteRansomwareMass rename + extortion text
Rapid SMB/445 scans across subnet, sequential infectionsWormSelf-propagation pattern
Outbound beacons on a fixed interval from workstationTrojan / C2 implantPeriodic, low-volume, predictable
Hidden kernel driver, external scan disagrees with hostRootkitHost-reported state is suspect
Dormant code that triggers on a specific dateLogic bombTime- or event-triggered payload
One failed login, many accounts, slow ratePassword sprayingWide — many accounts, one password
Many failed logins, one account, fast rateBrute forceDeep — one account, many guesses
Login from NY and Lagos within 5 minutesImpossible travel / credential compromiseGeography impossible
TLS negotiation drops from 1.3 to SSLv3Downgrade attackProtocol regression
Two inputs, same MD5 hashCollision attackHash integrity broken
DNS responses pointing to wrong IPs, TTL changesDNS poisoning / hijackingName-resolution integrity
Rogue AP with matching SSID, stronger signalEvil twinWireless impersonation
Same session token used from two distant IPsCredential replayToken reuse across locations
Repeated identical authenticated requestsReplay attack (application)Exact duplicate flow
URL contains ../../../etc/passwdDirectory traversalPath escape pattern
Entire log file missing for Tuesday 2-4amTampering — missing logs IoCGaps during suspicious window
Key Takeaway

Spraying = wide. Brute force = deep. If the scenario describes one password across many accounts, pick spraying. If it describes many passwords against one account, pick brute force. The direction is the question — nothing else matters for that pair.

A mid-size SaaS company sees authentication alerts overnight. The SIEM flags several hundred failed login attempts against the company’s SSO provider. The pattern: dozens of different user accounts, each with only two or three failures, spread across an hour. No account has been locked out. The SOC Analyst and the Identity Team Lead are naming different attacks.

Scenario
Hundreds of Failed Logins, No Lockouts
SSO provider · many accounts · 2-3 fails each · no lockouts
Identity Team Lead“Hundreds of failures overnight — this smells like a brute-force attack. Let’s lock down the accounts and rotate passwords.”
SOC Analyst“Read the pattern again. Brute force is many passwords against one account — fast lockouts on a single account. What we have is a handful of guesses against many different accounts. That is password spraying — one or two common passwords tried across a wide user list.”
Identity Team Lead“What do you recommend, then? Just increase the lockout threshold?”
SOC Analyst“The opposite. Lockouts don’t catch spraying because no single account hits the threshold. Enforce MFA everywhere, deploy conditional access by geo and device, and alert on many accounts failing with the same password rather than one account failing many times. Then review which accounts still lack MFA — the attacker is looking for that gap.”
Compensating Action

Change the detection signal, not just the lockout threshold. Build a SIEM rule for “N distinct accounts failing with identical password within M minutes.” That catches spraying even when no individual account crosses a lockout line. Pair with tenant-wide MFA enforcement and geo/device conditional access to raise the cost of successful guesses.

Real Talk — Career Context

The lockout policy that stops brute force enables spraying. Attackers study defenders. If your lockout is “5 failures per account,” they will spray at 3 failures per account across thousands of identities. The correct defense is MFA plus behavior-based detection, not more aggressive lockouts — which just help attackers DoS legitimate users.

On the exam: the answer depends on direction. Width across accounts = spraying. Depth on one account = brute force. Memorize the shape and you will not miss it.

A VP laptop is flagged by the SOC for periodic outbound beacons to an IP in a foreign country. Host EDR reports the machine is clean. An external network capture shows the beacons clearly. After reimaging and re-enrolling, the beacons return within 48 hours. Which indicator class BEST explains the persistence despite EDR seeing nothing?

Option A
Trojan (userland C2 implant)

A legitimate-looking app with a hidden malicious component beacons on a schedule. EDR should detect it, but maybe the signature is new or obfuscated.

Option B
Rootkit (kernel/firmware-level)

Rootkits hide from the OS itself, so EDR running on the host cannot see them. External scans see the network activity; host-level tools do not. Persistence below the OS explains survival across reimage.

Option B is the stronger fit — rootkit (likely firmware or bootkit)

Option B: The distinguishing fingerprint is the mismatch between external network observation (beacons clearly present) and host-level view (EDR reports clean). That pattern — the OS lying to its own tools — is the rootkit signature. Reimaging the OS does not help because firmware or bootkit persistence lives below the OS. Fix paths are external verification, firmware re-flash or hardware replacement, and network-side containment.

Option A’s kernel of truth: a stealthy trojan is a reasonable first guess and is more common. But a user-mode trojan should eventually be caught by EDR, and it should not survive a clean reimage. Persistence across reimaging plus EDR blindness together point below the OS.

On the exam: if the host tools disagree with external observation, think rootkit. If reimaging does not remove the beacons, think firmware or bootkit rootkit.

Spraying vs. brute force direction
This is the single most-missed pair on Domain 2. Spraying = wide (one password, many accounts). Brute force = deep (many passwords, one account). The exam will give you the shape of the login attempts; match the shape, not the volume.
Why it is tempting: both are “lots of failed logins.”
Every spike is an attack
Resource consumption, concurrent sessions, and traffic volume all have legitimate baselines. Patch Tuesday causes CPU spikes. A sales spike causes login concurrency. Before calling an IoC, correlate against the baseline and the context. The exam sometimes offers “benign operational event” as the right answer for isolated spikes.
Why it is tempting: every anomaly feels suspicious.
Impossible travel is always compromise
Impossible travel is a strong indicator but not infallible. Users on VPNs, corporate proxies, or mobile networks can generate apparent geo-jumps. Confirm with device fingerprint, session token continuity, and secondary signals before declaring compromise. The exam occasionally uses “VPN” as the pivot.
Why it is tempting: geo-jumps are visually obvious and feel conclusive.
Amplified and reflected DDoS are the same thing
Related, not identical. Amplified means a small request produces a large response (DNS, NTP, memcached are classic amplifiers). Reflected means the source IP is spoofed so the victim receives the flood from third parties. Many attacks are both; the exam may test either term alone.
Why it is tempting: the two concepts almost always co-occur.
Missing logs = “we forgot to turn logging on”
In IoC context, missing logs during a suspicious window is evidence of tampering — attackers clearing their tracks. It is not the same as logging-never-enabled. The exam frames this as a post-incident signal: logs were present before and after, but a gap sits squarely over the suspected activity. That gap is the indicator.
Why it is tempting: “no logs” sounds like a configuration failure.
Exam Signal

Indicator questions describe an observation and ask for the attack. Read for: (1) the shape of the activity (wide vs. deep, one vs. many, fast vs. slow), (2) the layer (network, host, auth, app, crypto), and (3) the direction (inbound probe vs. outbound beacon, internal scan vs. external exfil). Shape plus layer plus direction usually lands the right answer in under 30 seconds.

Quick Check — 2.4 Q1
An authentication log shows 842 failed logins against a single admin account within 6 minutes from a single external IP, followed by a successful login. Which attack is this?
  • A Password spraying
  • B Brute-force password attack
  • C Credential replay
  • D Impossible travel

Correct: B. Many password attempts against a single account in a short window is brute force — depth, not breadth.

A wrong: Spraying would show one or two attempts per account across many accounts, not hundreds of attempts on one.

C wrong: Replay uses a captured valid token, not raw password guesses; there would not be hundreds of failures.

D wrong: Impossible travel requires simultaneous logins from distant geographies — the scenario is a single IP.

Source: CompTIA SY0-701 Objectives v5.0 — 2.4 Indicators of Malicious Activity

Quick Check — 2.4 Q2
Packet captures show that when a user browses an internal web app, the TLS handshake starts at TLS 1.3 but is intercepted and downgraded to SSLv3 before completing. Which attack is this an indicator of?
  • A Collision attack
  • B Birthday attack
  • C Downgrade attack
  • D DNS poisoning

Correct: C. Forcing a session to use an older, weaker cryptographic protocol is the textbook downgrade attack, a common on-path technique against TLS.

A wrong: Collision attacks involve finding two inputs with the same hash output, not protocol negotiation.

B wrong: Birthday attacks are a probabilistic flavor of collision attack; they do not describe protocol version regression.

D wrong: DNS poisoning tampers with name resolution, not TLS protocol negotiation.

Source: CompTIA SY0-701 Objectives v5.0 — 2.4 Indicators of Malicious Activity

Quick Check — 2.4 Q3
A finance user logs in from New York at 09:02 local. At 09:07 the same session cookie is used from a source IP geolocated in Lagos, Nigeria. Both sessions appear valid. Which IoC BEST fits?
  • A Buffer overflow
  • B Worm propagation
  • C Impossible travel / credential replay
  • D Privilege escalation

Correct: C. The same session token used from two impossibly distant geographies within minutes is the canonical impossible-travel / credential-replay signal.

A wrong: Buffer overflow is an application-memory condition; it does not describe session-token geography.

B wrong: Worm propagation produces rapid network-scanning patterns, not session geo-jumps.

D wrong: Privilege escalation shows a user acquiring rights they previously lacked; the scenario is about location, not permission.

Source: CompTIA SY0-701 Objectives v5.0 — 2.4 Indicators of Malicious Activity

Related Topics
→ 2.1 Threat Actors & Motivations→ 2.3 Types of Vulnerabilities→ 2.5 Mitigation Techniques
← 2.3 Vulnerabilities ← All Objectives Next: 2.5 Mitigation Techniques →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on the published CompTIA SY0-701 Exam Objectives (v5.0). Always refer to the official CompTIA Security+ Exam Objectives as your primary reference.