CompTIA Security+ Practice Test of the Day 260309

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 2.4 (Given a scenario, analyze indicators of malicious activity.) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260309

10 questions • Single best answer

Question 1

A SOC analyst is reviewing endpoint telemetry and notices that a workstation has been sending outbound data to an external IP address in 5-minute intervals throughout the night. The transfers are small and consistent, suggesting automated behavior rather than a user-initiated session. No user was logged in during the time the transfers occurred, and the process responsible has a name closely resembling a legitimate Windows system process. What type of malware is MOST likely responsible for this behavior?

A. Ransomware B. Logic bomb C. Rootkit D. Trojan

Question 2

An analyst at a financial institution is reviewing authentication logs and notices that a service account successfully authenticated from two different geographic locations — New York and Singapore — within a 20-minute window. The account has never been used outside of the continental United States, and there is no record of a VPN connection or business travel justifying the Singapore login. The security team has not received any alert from their SIEM. Which indicator of malicious activity does this scenario BEST represent?

A. Concurrent session usage B. Impossible travel C. Out-of-cycle logging D. Resource consumption

Question 3

A penetration tester has gained access to a target network and is enumerating internal systems. While reviewing running processes on a compromised Windows host, they discover a process that loads before the operating system boots, intercepts system calls, and is invisible to both the Task Manager and the installed antivirus solution. The tester is unable to detect the process using standard OS-level enumeration tools. Which type of malware is MOST consistent with this behavior?

A. Worm B. Spyware C. Rootkit D. Keylogger

Question 4

During a threat hunt exercise, a security analyst discovers that several endpoint systems in the organization began exhibiting abnormal behavior simultaneously on the same date — the last day of employment for a recently terminated systems administrator. The systems started deleting critical database backup files and disabling scheduled tasks. Prior to this date, all systems appeared to function normally and no malicious code was detected. Which type of malware attack does this scenario BEST describe?

A. Ransomware B. Worm C. Logic bomb D. Trojan

Question 5

An analyst in a SOC receives an alert that a user account has been locked out after 10 failed login attempts within a two-minute window. Upon further investigation, the analyst finds that the same username was attempted against 47 different accounts in the domain over the past hour, but only this one account was locked out. The password attempts appear to use a single, commonly used password across all accounts. Which attack technique does this behavior MOST likely represent?

A. Brute force B. Credential replay C. Password spraying D. On-path attack

Question 6

A security administrator reviewing SIEM dashboards notices a sharp spike in outbound DNS query volume from a single internal workstation. The queries are being sent to an external DNS resolver not in the organization's approved list, and the subdomains in each query are unusually long — each appearing to contain encoded strings of random-looking characters. The workstation is in the finance department and handles sensitive payroll data. Which type of malicious activity does this behavior MOST strongly suggest?

A. DNS amplification attack B. DNS tunneling for data exfiltration C. Credential replay attack D. Watering hole attack

Question 7

An attacker has compromised a web server and escalated privileges to the root account. Log review conducted during the incident response process reveals that system logs from the 72-hour window surrounding the initial compromise are completely absent, even though the logging service shows as running and logs from before and after the window are intact. The forensic team finds no evidence of the logging service being stopped or restarted during that period. Which indicator of compromise does the absence of these logs BEST represent?

A. Out-of-cycle logging B. Blocked content C. Missing logs D. Resource inaccessibility

Question 8

A security analyst is investigating an alert triggered by the organization's EDR solution on a user's laptop. The EDR flagged that a Microsoft Word document, when opened, launched a PowerShell process that then downloaded and executed a secondary payload from a remote host. The user received the document as an email attachment from what appeared to be a trusted vendor. No vulnerabilities in Word were exploited — the document contained an embedded macro that the user enabled when prompted. Which malware category BEST describes the initial document used in this attack?

A. Virus B. Worm C. Trojan D. Rootkit

Question 9

An analyst observes that a production web server has begun consuming 98% of its CPU and nearly all available memory during off-peak hours when user traffic is minimal. A review of running processes reveals dozens of instances of an unfamiliar process executing under the context of the web server's service account. Network logs show outbound connections to several cryptocurrency mining pool addresses from the same server. Which type of malicious activity does this scenario MOST likely represent?

A. Logic bomb detonation B. Bloatware installation C. Resource consumption via cryptomining malware D. Spyware collecting system metadata

Question 10

During routine log analysis, a security analyst at a healthcare organization notices that a privileged administrator account has been actively logged into the EHR (Electronic Health Records) system and has been running large database export queries between 2:00 AM and 4:00 AM on multiple occasions over the past two weeks. The assigned administrator works a standard 9-to-5 shift and has not reported working after hours. When questioned, the administrator denies any knowledge of the activity. Which TWO indicators of malicious activity are MOST clearly present in this scenario? (Select the answer that identifies both.)

A. Impossible travel and account lockout B. Concurrent session usage and resource inaccessibility C. Out-of-cycle logging and concurrent session usage D. Missing logs and impossible travel