Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 2.4 (Given a scenario, analyze indicators of malicious activity.) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A SOC analyst notices that an employee’s workstation is generating unusually high outbound network traffic to multiple random IP addresses. Shortly after, the workstation becomes unresponsive. Which indicator best explains this activity?
#2. During a login review, an administrator finds that a user’s account successfully logged in from New York and then, within two minutes, from London. The user claims they were only in New York. Which indicator of malicious activity does this represent?
#3. An employee reports that their files have been encrypted, and a message demands payment in cryptocurrency for decryption. The SOC confirms unusual resource consumption on the user’s device. Which type of malicious activity is this?
#4. A security team notices that multiple users are reporting account lockouts at the same time. Logs reveal repeated failed login attempts from external IP addresses. What attack is most likely occurring?
#5. A penetration tester demonstrates that an attacker could modify SQL statements through a vulnerable input field on a web application. The tester shows how database records can be dumped. Which type of malicious activity is this?
#6. A user downloads a free software tool. After installation, the user notices that sensitive data from their device is being transmitted to an unknown external server. Which type of malicious activity is occurring?
#7. A SOC analyst observes a sudden surge of traffic directed at a company’s e-commerce server. The packets originate from multiple international IP addresses, causing legitimate customers to experience slow response times. Which type of attack is this?
#8. A cryptographic function produces the same hash for two different inputs. An attacker could exploit this to create fraudulent digital signatures. Which type of attack is this?
#9. A database administrator reports high CPU usage on a server and finds unusual queries being executed outside normal business hours. Logs show queries designed to bypass authentication checks. Which malicious activity does this suggest?
#10. An attacker exploits a bug in an application to overwrite memory and execute arbitrary code. The SOC detects unexplained crashes and unusual processes. Which indicator of malicious activity does this represent?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | A | A SOC analyst notices that an employee’s workstation is generating unusually high outbound network traffic to multiple random IP addresses. Shortly after, the workstation becomes unresponsive. Which indicator best explains this activity? A. Worm infection (Correct): This activity is a classic indicator of a worm infection. A worm is a type of self-replicating malware that spreads autonomously across a network by actively scanning for and exploiting vulnerabilities on other machines. The unusually high outbound network traffic is a direct result of the worm attempting to find new targets to infect, which can also consume system resources and cause the workstation to become unresponsive. B. Rootkit (Incorrect): A rootkit is designed to gain privileged access and remain hidden on a system. While it could cause performance issues, its primary function is stealth, not active, network-based self-propagation. C. Logic bomb (Incorrect): A logic bomb is a malicious piece of code that executes when a specific condition is met. It does not typically generate high outbound network traffic as a primary function. D. DNS poisoning (Incorrect): DNS poisoning is a network-level attack that manipulates DNS records to redirect traffic. It does not explain a workstation generating high, random outbound traffic as a result of a local infection. |
| 2 | B | During a login review, an administrator finds that a user’s account successfully logged in from New York and then, within two minutes, from London. The user claims they were only in New York. Which indicator of malicious activity does this represent? A. Credential replay (Incorrect): Credential replay (or pass the hash) is an attack where an attacker re-uses stolen session credentials. While this could be the method used, “impossible travel” is the specific, visible alert generated by the activity. B. Impossible travel (Correct): This is a classic example of an impossible travel alert. This indicator of compromise is triggered when a user account logs in from two geographically distant locations in a time frame that would be physically impossible to travel between, such as New York and London within two minutes. C. Brute force attack (Incorrect): A brute force attack involves repeated, automated attempts to guess a password. The scenario describes successful logins, not repeated failed attempts. D. Concurrent session usage (Incorrect): While the sessions may be concurrent, the primary security concern and the most specific indicator is the physically impossible distance between the two login locations. |
| 3 | A | An employee reports that their files have been encrypted, and a message demands payment in cryptocurrency for decryption. The SOC confirms unusual resource consumption on the user’s device. Which type of malicious activity is this? A. Ransomware (Correct): The activity described is ransomware. This type of malicious software encrypts a victim’s files and demands a ransom payment, often in cryptocurrency, in exchange for the decryption key. The unusual resource consumption is a common sign of the encryption process taking place on the user’s device. B. Spyware (Incorrect): Spyware is designed to secretly collect information about a user and their activities without their knowledge. It does not typically encrypt files. C. Trojan (Incorrect): A Trojan horse is a type of malware that disguises itself as legitimate software. While a Trojan could be the delivery method for ransomware, the malicious activity itself is the ransomware. D. Bloatware (Incorrect): Bloatware is software that comes pre-installed on a device and often consumes resources but is not malicious in nature. It does not encrypt files or demand a ransom. |
| 4 | A | A security team notices that multiple users are reporting account lockouts at the same time. Logs reveal repeated failed login attempts from external IP addresses. What attack is most likely occurring? A. Password spraying (Correct): This is a classic indicator of a password spraying attack. The attacker tries a few common passwords (like Password123! or Welcome!) across a large number of user accounts. The goal is to avoid account lockouts on a single account, but if the attacker tries too many passwords or the organization has a strict lockout policy, it will result in multiple users being locked out simultaneously, as described. B. Brute force (Incorrect): A brute force attack involves trying many different passwords against a single user account. This would typically result in only one user’s account being locked out, not multiple accounts at the same time. C. Replay attack (Incorrect): A replay attack involves capturing and re-using a legitimate data transmission. It does not typically manifest as a large number of failed login attempts. D. Collision attack (Incorrect): A collision attack is a cryptographic attack that attempts to find two different inputs that produce the same hash output. It has no relation to login attempts. |
| 5 | C | A penetration tester demonstrates that an attacker could modify SQL statements through a vulnerable input field on a web application. The tester shows how database records can be dumped. Which type of malicious activity is this? A. Cross-site scripting (Incorrect): Cross-site scripting (XSS) involves injecting malicious scripts into a website to be executed by other users’ browsers. It does not directly manipulate the database. B. Privilege escalation (Incorrect): Privilege escalation is the act of gaining a higher level of access than originally granted. While an injection attack can sometimes lead to privilege escalation, the act of modifying the SQL statement itself is the injection. C. Injection attack (Correct): The activity described is an injection attack, specifically SQL injection. This type of attack involves a threat actor inserting malicious commands into a vulnerable application’s input field. The application then executes these commands, allowing the attacker to manipulate or dump the underlying database. D. Directory traversal (Incorrect): A directory traversal attack allows an attacker to access files outside of the intended directory on a server. It does not involve manipulating database queries. |
| 6 | B | A user downloads a free software tool. After installation, the user notices that sensitive data from their device is being transmitted to an unknown external server. Which type of malicious activity is occurring? A. Worm (Incorrect): A worm is a self-replicating program that spreads to other computers without human intervention. The scenario describes data exfiltration, not self-propagation. B. Spyware (Correct): The malicious activity is spyware. This type of malware is designed to secretly monitor a user’s activity and collect sensitive information from their device. The software’s unauthorized transmission of data to an external server is a classic function of spyware. C. Rootkit (Incorrect): A rootkit is a type of malware designed to gain privileged access and remain hidden on a system. While it could be used to facilitate data theft, its primary function is stealth, not data collection itself. D. Keylogger (Incorrect): A keylogger is a specific type of spyware that records keystrokes. While the sensitive data could be keystrokes, “spyware” is the more accurate term for the broader activity of stealing various types of data. |
| 7 | D | A SOC analyst observes a sudden surge of traffic directed at a company’s e-commerce server. The packets originate from multiple international IP addresses, causing legitimate customers to experience slow response times. Which type of attack is this? A. Credential replay (Incorrect): Credential replay is an attack where stolen credentials are re-used to gain unauthorized access. It is not a volume-based attack designed to cause service disruption. B. Privilege escalation (Incorrect): Privilege escalation is the act of gaining a higher level of access to a system. The attack described is a disruption of service, not an escalation of privileges. C. DNS poisoning (Incorrect): DNS poisoning is an attack that manipulates a DNS server’s records to redirect traffic to a malicious website. It does not involve a direct traffic flood on the target server. D. Distributed denial-of-service (DDoS) (Correct): The attack is a distributed denial-of-service (DDoS) attack. This type of attack floods a target server with a massive amount of traffic from numerous compromised sources (often a botnet). The goal is to overwhelm the server’s resources and prevent legitimate users from accessing it, which directly explains the slow response times experienced by the e-commerce customers. |
| 8 | C | A cryptographic function produces the same hash for two different inputs. An attacker could exploit this to create fraudulent digital signatures. Which type of attack is this? A. Birthday attack (Incorrect): A birthday attack is a specific type of cryptographic method used to find collisions more efficiently. While it’s a way to perform a collision attack, “collision attack” is the broader, more accurate term for the attack itself. B. Replay attack (Incorrect): A replay attack involves an attacker capturing and re-using a legitimate data transmission. It does not involve cryptographic hash functions. C. Collision attack (Correct): This is a collision attack. A cryptographic hash function is designed to produce a unique hash for every unique input. A collision attack is an attempt to find two different inputs that produce the same hash output (a “collision”). If an attacker can find a collision, they could create a fraudulent digital signature by substituting a legitimate input with a malicious one that produces the same hash. D. Brute force (Incorrect): A brute force attack involves trying every possible combination of characters to guess a password or key. It is not used for finding hash collisions. |
| 9 | C | A database administrator reports high CPU usage on a server and finds unusual queries being executed outside normal business hours. Logs show queries designed to bypass authentication checks. Which malicious activity does this suggest? A. Privilege escalation (Incorrect): While the attacker may be attempting to escalate privileges, the method used is an injection attack. Privilege escalation is the outcome, not the attack method itself. B. Directory traversal (Incorrect): A directory traversal attack allows an attacker to access files outside of the intended directory on a server. It is unrelated to manipulating database queries. C. Injection attack (Correct): The malicious activity is an injection attack, most likely SQL injection. The use of queries designed to bypass authentication is a classic indicator of an attacker manipulating a database’s input fields. The high CPU usage suggests the attacker is running complex queries, such as data exfiltration or manipulation, which is the goal of a successful injection attack. D. Buffer overflow (Incorrect): A buffer overflow is a low-level memory exploit where an attacker writes more data to a buffer than it can hold. It is not typically executed through database queries. |
| 10 | D | An attacker exploits a bug in an application to overwrite memory and execute arbitrary code. The SOC detects unexplained crashes and unusual processes. Which indicator of malicious activity does this represent? A. Injection attack (Incorrect): An injection attack involves inserting malicious data into an application’s input fields to manipulate commands (e.g., SQL injection). It does not involve overwriting memory. B. Brute force (Incorrect): A brute force attack involves repeatedly trying passwords or keys to guess a valid one. It is not related to memory manipulation. C. Keylogger (Incorrect): A keylogger is a type of spyware that records keystrokes. It does not exploit memory vulnerabilities to execute code. D. Buffer overflow (Correct): The malicious activity is a buffer overflow. This type of attack exploits a bug where a program attempts to write more data into a memory buffer than it was designed to hold. This causes the excess data to “overflow” into adjacent memory, which an attacker can leverage to inject and execute their own malicious code, leading to system crashes and unusual process behavior. |