CompTIA Security+ Practice Test of the Day 260502

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 2.4 (Given a scenario, analyze indicators of malicious activity) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260502

10 questions • Single best answer

Question 1

A SOC analyst observes that all files on a file server have been renamed with a .locked extension, a ransom note has appeared on the desktop demanding Bitcoin payment, and users can no longer open any documents. Which malware type is responsible?

A. Worm B. Trojan C. Ransomware D. Rootkit

Question 2

An incident responder investigates a server where running processes appear clean, but the network interface is exfiltrating significant data. A bootable forensic scan reveals hidden processes and modified system files invisible to the live OS. Which malware type does this indicate?

A. Keylogger B. Logic bomb C. Trojan D. Rootkit

Question 3

A developer embedded code in the payroll application that checks whether her employee ID exists in the HR database. If her account is deleted — indicating termination — the code automatically wipes all payroll records on the next scheduled run. Which malware type does this describe?

A. Worm B. Virus C. Logic bomb D. Spyware

Question 4

A user reports unauthorized password changes to his accounts after clicking an email attachment. Forensic analysis reveals every keystroke on the device was being recorded and exfiltrated to a remote server. Which malware type caused this?

A. Spyware B. Keylogger C. Trojan D. Bloatware

Question 5

An analyst reviewing network captures from a hotel Wi-Fi network finds that an attacker's device was intercepting HTTPS traffic between guests and a banking website by presenting a fraudulent certificate — relaying modified content between victims and the real server. Which attack type does this represent?

A. Credential replay B. DNS attack C. On-path attack D. DDoS

Question 6

An attacker sends DNS queries with a spoofed source IP (the victim's address) to thousands of open DNS resolvers. Each resolver sends a much larger response directly to the victim — overwhelming it with traffic it never requested. Which attack type does this represent?

A. DNS tunneling B. Credential replay C. Reflected and amplified DDoS D. On-path attack

Question 7

An attacker gains initial access to a web server as a low-privileged service account, then uses a known kernel exploit to elevate their permissions to SYSTEM-level — gaining full control of the server. Which application attack type does this represent?

A. Buffer overflow B. Directory traversal C. Replay attack D. Privilege escalation

Question 8

A SIEM alert fires because a user account authenticated from New York at 9:00 AM and then from Tokyo at 9:45 AM — a journey that would physically require approximately 14 hours. Which indicator of compromise does this represent?

A. Account lockout B. Concurrent session usage C. Impossible travel D. Out-of-cycle logging

Question 9

A help desk receives dozens of calls in 30 minutes from employees locked out of their accounts. The SIEM shows thousands of failed authentication attempts across all locked accounts originating from the same external IP range. Which attack type do the account lockouts indicate?

A. Credential replay B. Password spraying or brute force C. Logic bomb detonation D. Impossible travel

Question 10

A forensic investigator finds that system event logs covering the exact period of a suspected breach are completely absent from the compromised server, while all logs from surrounding time periods are intact. Which indicator of compromise does this represent?