Welcome to today’s practice test!
Today’s practice test is based on subdomain 2.4 (Given a scenario, analyze indicators of malicious activity) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A SOC analyst notices repeated failed login attempts followed by a successful login to a critical server, all originating from the same IP address within minutes. What is the most likely indicator of malicious activity?
#2. A user reports that their machine is running slower than usual, and the SOC team notices it has been communicating with multiple unknown external IPs at regular intervals. What is the most likely cause?
#3. Which of the following is an indicator of credential replay?
#4. An analyst observes a significant spike in outbound traffic during non-business hours from a single endpoint. What does this most likely indicate?
#5. What does an “impossible travel” alert most likely indicate?
#6. An analyst observes unexpected new accounts created on a domain controller. What does this indicate?
#7. Which of the following is NOT a valid indicator of malicious activity?
#8. A SIEM flags unusual login times outside of a user’s normal pattern. This is best described as:
#9. A security team finds that log files have been deleted following an incident. What does this most likely indicate?
#10. A SIEM tool highlights an endpoint with elevated resource usage and no user logged in. What should be suspected?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | A | The pattern of “repeated failed login attempts followed by a successful login… from the same IP address within minutes” is the classic signature of a brute force attack. The attacker is systematically trying different username/password combinations until they guess the correct one. DNS poisoning involves manipulating DNS records to redirect traffic; it doesn’t directly cause login failures or successes. ARP spoofing is a network-layer attack that links an attacker’s MAC address to another IP, typically for man-in-the-middle attacks, not for guessing logins. A rogue DHCP server distributes incorrect network configurations. It’s a network infrastructure issue and doesn’t directly relate to login attempts. |
| 2 | B | This option best fits all the symptoms. A worm is a type of malware that self-replicates and spreads across networks. This process consumes system resources (making the machine run slower) and involves initiating numerous connections to find new targets or communicate with command and control servers (explaining communications with multiple unknown external IPs at regular intervals). A VPN misconfiguration might lead to connectivity issues, but it typically wouldn’t cause a machine to run generally slower or communicate with multiple unknown external IPs in a patterned way. Patch deployment can temporarily slow a machine down during installation or reboot, but it doesn’t involve persistent communication with multiple unknown external IPs at regular intervals. A backup process will slow a machine and involve network communication, but typically to known, authorized backup destinations, not “multiple unknown external IPs.” |
| 3 | A | Credential replay (or pass-the-hash, pass-the-ticket) involves an attacker using stolen valid credentials to authenticate to a system. If the same credentials are used to log in from geographically disparate locations at the same or near-same time, it strongly indicates that the credentials have been compromised and are being replayed by an attacker. Incomplete system patching is a vulnerability, not an indicator of a specific attack like credential replay. High CPU usage can indicate various issues, such as a denial-of-service attack, malware, or legitimate heavy load, but it’s not a direct indicator of credential replay. Frequent password reset requests might indicate an attacker is attempting to gain access or that users are struggling with passwords, but it’s not an indicator that stolen credentials are being successfully replayed. |
| 4 | C | A “significant spike in outbound traffic” from a single endpoint, especially “during non-business hours” when legitimate traffic is expected to be low, is a very strong indicator of data exfiltration. Attackers often attempt to transfer stolen data out of the network in large volumes during off-peak times to avoid detection. Impossible travel is an indicator of compromise related to login attempts from geographically impossible locations within a short timeframe, not network traffic spikes. Account lockout is a security measure triggered by too many failed login attempts, not a sign of outbound network traffic. License overuse is a compliance issue related to software licensing, and it does not directly manifest as a spike in outbound network traffic. |
| 5 | C | An “impossible travel” alert is triggered when a user account logs in from two geographically distant locations within a time frame that makes physical travel between those points impossible. This is a very strong indicator that the user’s credentials have been compromised and are being used by an unauthorized party from a different location. Privilege escalation is when an attacker gains higher access rights on a system. While a compromised account might lead to this, the “impossible travel” alert itself points to the compromise of the login credentials. While malware could be the method by which credentials are stolen, the alert itself specifically indicates an unusual login pattern, not the presence of malware on a device. While VPNs can make a user appear to be in a different location, security systems often account for legitimate VPN usage. If an “impossible travel” alert is triggered in a security context, it’s typically signaling suspicious activity (compromised credentials), not simply legitimate VPN use |
| 6 | D | When an attacker gains control of a system or user account with limited privileges and then exploits a vulnerability or misconfiguration to gain higher-level access (like administrative rights on a domain controller), this is privilege escalation. Creating “unexpected new accounts on a domain controller” is a classic post-exploitation activity after an attacker has successfully escalated their privileges to an administrative level, allowing them to establish persistent backdoor access. Shadow IT refers to unauthorized IT systems or services used by employees for convenience. While it involves unauthorized actions by insiders, it doesn’t typically manifest as the creation of malicious new accounts on core infrastructure like a domain controller. While an insider could create unexpected accounts, this option describes who the actor is, not the type of malicious activity or compromise that allowed the account creation. An external attacker who gains privilege escalation also fits the scenario. The creation of unexpected administrative accounts points to a specific stage of attack (privilege escalation). A rootkit is designed to hide the presence of malware or malicious activity. While a rootkit might be installed after privilege escalation, the direct observation of “unexpected new accounts” is an indicator of the successful privilege escalation itself, not specifically the rootkit. |
| 7 | C | Scheduled patch deployment is a legitimate and routine IT security activity. It is part of maintaining system health and security, not an indicator of malicious activity. This can be an indicator of malicious activity, especially if multiple sessions for the same user originate from different or geographically impossible locations at the same time (e.g., credential sharing or replay attack). Alerts for blocked content (e.g., by firewalls, web filters, or antivirus) indicate that a security control has identified and stopped something potentially malicious (like malware, phishing sites, or unauthorized data transfers). While the content was blocked, the attempt was malicious. Log entries appearing outside of normal or expected operational patterns (e.g., logins at 3 AM from unusual IPs, unusual system reboots, or unexpected service stoppages) can be a strong indicator of malicious or unauthorized activity. |
| 8 | C | Anomaly detection is a technique used by SIEMs (Security Information and Event Management systems) to identify patterns of activity that deviate significantly from a baseline of normal or expected behavior. A user logging in outside their “normal pattern” is precisely what anomaly detection aims to flag. Blocked content refers to actions taken by security controls to prevent access to malicious or unauthorized data (e.g., a firewall blocking a dangerous website). It’s not about login times. Resource consumption refers to the amount of CPU, memory, network bandwidth, etc., being used by a system. While a login might consume resources, “unusual login times” doesn’t directly describe resource consumption. Concurrent access refers to multiple users or sessions accessing a resource at the same time. While unusual login times could coincide with concurrent access, the direct observation described (deviating from a user’s normal pattern) is an anomaly. |
| 9 | C | The deletion of log files immediately following a security incident is a classic indicator that an attacker or malicious actor is attempting to tamper with evidence to cover their tracks, destroy forensic data, and hinder incident response efforts. While a log retention misconfiguration could lead to logs being unavailable, it wouldn’t typically happen immediately following an incident as a deliberate act. This implies malicious intent to hide actions. An Intrusion Prevention System (IPS) failure means it failed to stop an intrusion. While an IPS failure might have allowed the incident to occur, the deletion of log files afterwards is a separate, post-compromise activity, not a direct indicator of IPS failure itself. Network segmentation is a security practice that divides a network into smaller, isolated segments to limit the spread of breaches. It has no direct relation to the deletion of log files after an incident. |
| 10 | D | Malicious cryptocurrency mining (cryptojacking) is a common form of malware that hijacks an endpoint’s processing power (CPU and/or GPU) to mine cryptocurrencies for an attacker. This activity is highly resource-intensive, leading to elevated resource usage, and is often designed to run silently in the background, even when no user is logged in, making it a prime suspect for the observed symptoms. A DoS attack typically targets a service or server to make it unavailable by overwhelming it. While an endpoint might be part of a botnet launching a DDoS, the direct “elevated resource usage” on the endpoint itself, especially without a user, more directly points to something consuming resources on the endpoint. Steganography is the art of hiding data within other data (e.g., in images). It’s a method of concealment and doesn’t inherently cause significant, sustained “elevated resource usage.” A logic bomb is malicious code that triggers under specific conditions. While it could cause resource spikes when triggered, the consistent “elevated resource usage” and “no user logged in” specifically points more towards an ongoing, continuous process like mining, rather than a one-time or condition-based execution of a logic bomb. |