CompTIA Security+ Practice Test of the Day 260502

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 2.4 (Given a scenario, analyze indicators of malicious activity) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260502

10 questions • Single best answer

Question 1

An analyst reviewing endpoint detection logs at a regional hospital observes that dozens of workstations suddenly lost access to patient records, imaging files, and scheduling data. Each affected system now displays a message demanding cryptocurrency payment in exchange for a decryption key. The security team confirms that files have been encrypted with a strong algorithm and that backups stored on network-attached drives were also affected. Which malware type is responsible, and what does this attack's impact on backup drives indicate about the attacker's methodology?

A. Worm; the malware propagated laterally across the network and overwrote backup files as a side effect B. Ransomware; the attacker deliberately targeted network-accessible backups to eliminate recovery options and increase pressure to pay C. Logic bomb; the payload triggered based on a predefined condition and encrypted files as its destructive action D. Trojan; the malware disguised itself as a legitimate application before encrypting files and backup destinations

Question 2

A forensic investigator is examining a compromised server and notices that traditional antivirus tools report the system as clean, yet the SIEM continues to show suspicious outbound connections originating from the host. Further investigation using a live boot environment reveals hidden processes, modified system call tables, and altered directory listings that conceal specific files from the running OS. Which malware type is MOST consistent with these findings?

A. Keylogger B. Spyware C. Trojan D. Rootkit

Question 3

A SOC analyst receives a report that an executive's corporate laptop has been secretly recording every keystroke entered — including credentials for banking systems, the corporate VPN, and the email platform — and transmitting the captured data to an external server. The malware runs as a background process and does not display any user-visible activity. Review of the binary confirms it does not self-replicate or exploit vulnerabilities to spread. Which malware type BEST describes this threat?

A. Virus B. Worm C. Keylogger D. Bloatware

Question 4

During a post-termination investigation, forensic analysts discover that a recently dismissed system administrator had modified a payroll processing script six months prior. The modification included a conditional check: if the administrator's employee ID no longer appeared in the active employee database, the script would automatically delete all payroll records for the current quarter. The condition triggered three days after termination. Which malware type does this scenario describe?

A. Ransomware B. Rootkit C. Worm D. Logic bomb

Question 5

A user contacts the help desk after downloading what appeared to be a free video editing tool from a popular software aggregator website. After installation, the user began experiencing slow system performance, and the IT team discovered that a remote access tool was running in the background, giving an unknown party full control of the workstation. The downloaded installer contained both the legitimate video editor and the embedded malicious component. Which malware type does this BEST describe?

A. Virus B. Worm C. Trojan D. Spyware

Question 6

A network administrator notices that several servers across different subnets are generating unusually high outbound traffic to other internal and external hosts. Investigation reveals that a piece of malware is actively copying itself to accessible network shares and removable drives, then executing automatically on newly infected systems by exploiting a known vulnerability in the file-sharing service — without any user interaction required. Which malware type is MOST consistent with this behavior?

A. Virus B. Trojan C. Bloatware D. Worm

Question 7

An employee contacts HR after noticing that their browsing history has been shared with a third-party marketing firm without consent. Investigation reveals that software installed as part of a free browser extension has been silently monitoring the employee's web activity, capturing search terms and visited URLs, and transmitting the data to an external server for behavioral profiling purposes. The software did not replicate itself or cause system damage. Which malware type BEST describes this threat?

A. Keylogger B. Spyware C. Rootkit D. Virus

Question 8

A security consultant performing a physical security assessment at a sporting venue observes that an attendee is holding a device near the wristbands worn by VIP guests as they enter a restricted area. Later, the consultant notices that same individual gaining access to the restricted zone using their own wristband — without ever purchasing a VIP pass. The venue's access control system uses contactless technology for authentication. Which physical attack technique does this scenario MOST likely represent?

A. Environmental attack B. Brute force C. RFID cloning D. Side loading

Question 9

During a major product launch, a technology company's public-facing e-commerce platform becomes unreachable. Network monitoring reveals that thousands of IP addresses distributed across multiple geographic regions are simultaneously sending HTTP requests at a volume far exceeding the platform's capacity. The traffic is coming from what appear to be compromised home routers and IoT devices. The on-call engineer confirms no application vulnerabilities were exploited — the sheer volume of requests overwhelmed the servers. Which type of network attack does this BEST describe?

A. On-path attack B. Credential replay C. Distributed denial-of-service (DDoS) D. DNS attack

Question 10

A security operations team is analyzing an intrusion in which an attacker exploited a vulnerable web application to gain initial access with standard user privileges. The attacker then used a local exploit to take advantage of a flaw in the operating system's kernel, gaining administrative rights without any additional user interaction. The attacker subsequently installed persistence mechanisms and exfiltrated sensitive data. Which application or OS attack technique did the attacker use to move from standard user to administrative access?