Domain 2 of 5 · Chapter 6 of 6

Indicators of Malicious Activity

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • Password and identity indicators: spraying vs. brute force
  • Network and application attack indicators
  • Cryptographic and physical attack indicators
  • Reading the evidence trail: log and intel indicators

Reading the indicator: symptom to most-likely attack

Observed indicatorMost-likely attackAttack familyWhy it fits
Failed logins across many accountsPassword sprayingPasswordOne common password per account stays under lockout thresholds
Repeated failures then account lockoutBrute forcePasswordExhaustive guessing against a single target trips the lockout policy
Impossible travel / concurrent sessionsCredential theft or replayNetwork / identityOne credential used from two places at once means it was stolen or replayed
Resource consumption + inaccessibilityAmplified/reflected DDoSNetworkExhausting CPU/bandwidth makes the service time out for legitimate users
DB errors or data leak from web inputInjectionApplicationUntrusted input is executed as code or a query by the application
Web request reading unexpected filesDirectory traversalApplication../ sequences escape the web root to reach the filesystem
Forged request from an authenticated userCSRF / SSRFApplicationThe victim's browser or server is tricked into making an unintended request
Cipher silently negotiated weakerDowngradeCryptographicForcing an older protocol/cipher enables a known break
Two inputs share one hash digestCollision / birthdayCryptographicFinding any colliding pair forges integrity or signatures
Audit records gone / out-of-cycle loggingAnti-forensics / tamperingIndicatorMissing or off-schedule logs suggest an attacker cleared their tracks

Decision tree

What does the indicator show? Failed logins: one account or many? Web input doing the unexpected? Service down / cipher weak / logs gone? Auth failures Web request Availability / crypto / evidence Brute force one account, ends in lockout Password spraying many accounts, stays under lockout Credential theft / replay impossible travel / concurrent sessions One, locks out Many, few each Two places at once Injection DB errors / leaked rows Directory traversal reads files outside web root CSRF / SSRF forged client / server request DB / data leak ../ file access unintended request DDoS (amplified/reflected) resource consumption + inaccessibility Downgrade / collision weaker cipher / shared hash digest Anti-forensics / tampering missing / out-of-cycle logs Slow / unreachable Weaker cipher Logs gone Always: correlate against change records a planned job can mimic an attack indicator

Cheat sheet

  • Reason backward from the indicator to the attack
  • SY0-701 groups attacks into six families on objective 2.4
  • Many failed logins on one account ending in lockout means brute force
  • Low failures across many accounts means password spraying
  • Impossible travel or concurrent sessions point to a stolen credential
  • Replay re-sends a captured valid authenticator to impersonate a user
  • Resource consumption plus inaccessibility is the denial-of-service signature
  • Amplification inflates the response; reflection redirects it at the victim
  • An on-path attacker sits between two parties to intercept or alter traffic
  • Injection makes the app run untrusted input as code or a query
  • Directory traversal walks ../ sequences out of the web root
  • CSRF abuses the victim's browser; SSRF abuses the server's trust
  • Privilege escalation is a principal acting beyond its granted rights
  • A downgrade attack forces a session onto a weaker protocol or cipher
  • A collision is two distinct inputs producing the same hash digest
  • The birthday paradox is why collisions are far cheaper than brute force
  • Physical brute force breaks a barrier, not a password
  • RFID cloning copies a proximity badge so the clone opens the same doors
  • An environmental attack hits power, cooling, or fire systems to kill availability
  • Missing logs where records should exist signal anti-forensics
  • Out-of-cycle logging flags activity at abnormal times
  • A block event reveals an attempt to reach or run something disallowed
  • Published/documented indicators are external IOCs you match against your telemetry
  • Correlate an indicator against change records before declaring an attack
  • Regular small outbound check-ins to one external host are C2 beaconing
  • DNS tunneling hides payload data in long encoded subdomains
  • Side-channel attacks read secrets from physical leakage, not the algorithm

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. CompTIA Security+ (SY0-701) certification
  2. Password cracking (CSRC glossary)
  3. Denial of service (CSRC glossary)
  4. Man-in-the-middle attack (CSRC glossary)
  5. SQL injection (CSRC glossary)
  6. NIST SP 800-107 Rev. 1: Recommendation for Applications Using Approved Hash Algorithms Whitepaper
  7. Audit record (CSRC glossary)
  8. NIST SP 800-92: Guide to Computer Security Log Management Whitepaper