CompTIA Security+ Practice Test of the Day 092225

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 2.4 (Given a scenario, analyze indicators of malicious activity) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 092225

10 questions • Single best answer

Question 1

A user downloads a free video converter from a sketchy website. After installing it, their antivirus detects outbound connections to a remote server, though the converter works as advertised. A backdoor was silently installed alongside the legitimate software. Which malware type BEST describes the malicious component?

A. Worm B. Trojan C. Ransomware D. Rootkit

Question 2

A threat actor gains persistent access to an executive's laptop and installs software that silently monitors web activity, records screenshots every 30 seconds, and tracks physical location using GPS data — all without the user's knowledge. Which malware type BEST describes this software?

A. Keylogger B. Bloatware C. Logic bomb D. Spyware

Question 3

A SOC analyst detects malware that exploits a vulnerability in a Windows service to copy itself to all reachable network shares and re-executes without any user interaction. Within two hours it has spread to 400 workstations. Which malware type BEST describes this behavior?

A. Trojan B. Virus C. Worm D. Rootkit

Question 4

A penetration tester sets up a rogue Wi-Fi access point with the same SSID and channel as the corporate guest network. Client devices automatically connect to the rogue AP, and the tester intercepts all their unencrypted traffic. Which wireless attack is described?

A. Jamming B. Disassociation C. Evil twin D. Credential replay

Question 5

An attacker targets 10,000 accounts with a single authentication attempt per account using the password 'Winter2024!' — staying well below lockout thresholds. Over several hours, 47 accounts successfully authenticate. Which attack technique is described?

A. Brute force B. Credential replay C. Password spraying D. Dictionary attack

Question 6

A security researcher demonstrates that two different certificate files produce the same SHA-1 hash. Using this property, an attacker could create a fraudulent certificate that produces the same hash as a legitimate one, potentially bypassing signature verification. Which cryptographic attack exploits this property?

A. Downgrade attack B. Birthday attack C. Replay attack D. Brute force

Question 7

An attacker intercepts a TLS handshake and manipulates the cipher suite negotiation to force the client and server to use an older, weaker encryption algorithm that the attacker knows how to break. Which cryptographic attack is described?

A. Birthday attack B. Collision attack C. Replay attack D. Downgrade attack

Question 8

An attacker clones an employee's RFID access badge by holding a reader device close to the employee in an elevator. The attacker later uses the cloned badge to enter the server room. Which physical attack technique is described?

A. Environmental attack B. Brute force — Physical C. Impersonation D. RFID cloning

Question 9

A threat actor sends thousands of UDP packets with spoofed source addresses — all pointing to the victim — to open DNS resolvers. Each small query generates a large DNS response sent to the victim's IP, overwhelming the victim's bandwidth. Which attack technique is described?

A. DNS tunneling B. Credential replay C. Evil twin D. DDoS — Amplification/Reflected

Question 10

After a security incident, a forensic investigator finds that all Windows Event Logs on a compromised server were cleared between 2 AM and 3 AM — exactly the window when the attacker was active. The logs were not backed up externally. Which indicator of malicious activity does this represent?