CompTIA Security+ Practice Test of the Day 071625

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 2.4 (Given a scenario, analyze indicators of malicious activity) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 071625

10 questions • Single best answer

Question 1

A hospital's file server becomes inaccessible. An analyst finds that all documents have been renamed with a '.locked' extension and a ransom note demands cryptocurrency for a decryption key. Which malware type is described?

A. Rootkit B. Logic bomb C. Ransomware D. Trojan

Question 2

A security analyst reviews endpoint logs and discovers a process that is silently recording every key pressed on a user's machine, including passwords and credit card numbers entered into a browser. The captured data is periodically sent to an external server. Which malware type is described?

A. Spyware B. Keylogger C. Rootkit D. Bloatware

Question 3

A malware analyst examines a sample that loads itself into kernel memory and intercepts OS calls to hide its presence. The malware masks its associated files, registry keys, and network connections from antivirus tools and system utilities. Which malware type is described?

A. Worm B. Logic bomb C. Rootkit D. Trojan

Question 4

A developer hides code in a company's payroll application that will delete all salary records if her employee ID is ever removed from the HR database. She is subsequently terminated and the code executes, destroying payroll data. Which malware type is described?

A. Ransomware B. Worm C. Trojan D. Logic bomb

Question 5

A SOC analyst detects a spike in outbound DNS queries from a workstation to hundreds of unique external domains. Investigation reveals malware is encoding command-and-control traffic within DNS responses — bypassing traditional firewall rules that only block direct outbound connections. Which attack technique is MOST likely being used?

A. DNS poisoning B. DNS tunneling C. Credential replay D. Amplification attack

Question 6

An analyst reviews SIEM alerts and finds that a user account authenticated successfully from New York at 8 AM and then again from Tokyo at 8:45 AM the same morning. No flight could account for this travel. Which indicator of malicious activity is described?

A. Concurrent session usage B. Account lockout C. Impossible travel D. Out-of-cycle logging

Question 7

A penetration tester captures a valid Kerberos ticket from a network session and later resubmits the same ticket to authenticate as the legitimate user without knowing the user's password. Which network attack technique is described?

A. DNS poisoning B. Password spraying C. Credential replay D. On-path attack

Question 8

A web application vulnerability allows an attacker to include malicious input in a form field that modifies the SQL query to return all user records, bypassing authentication. The application responds with a user list instead of an error. Which attack type is described?

A. Buffer overflow B. Cross-site scripting C. Directory traversal D. Injection

Question 9

An attacker exploits a vulnerability in a web application to gain access as a standard user, then leverages a misconfigured SUID binary to elevate their access to root. Which attack technique does the second step represent?

A. Credential replay B. Directory traversal C. Privilege escalation D. Injection

Question 10

A SIEM alert fires when a user account generates three times its normal volume of authentication events at 3 AM on a Saturday. The account's typical activity pattern shows logins only on weekdays between 8 AM and 6 PM. Which indicator of malicious activity BEST describes this anomaly?