CompTIA Security+ SY0-701 Objective 2.4: Given a Scenario, Analyze Indicators of Malicious Activity

Ransomware Indicators:

• File Encryption: Files becoming unreadable with changed extensions
• Ransom Notes: Text files or desktop wallpapers with payment demands
• System Slowdown: Significant performance degradation during encryption
• Network Activity: Unusual network traffic during encryption process
• File System Changes: Mass file modifications and deletions
• Process Activity: Suspicious processes consuming high CPU/memory

Trojan Indicators:

• Disguised Files: Malicious files masquerading as legitimate software
• Unexpected Network Connections: Outbound connections to unknown servers
• System Modifications: Unauthorized changes to system files or registry
• Backdoor Access: Unauthorized remote access capabilities
• Data Exfiltration: Unusual data transfer patterns
• Privilege Escalation: Attempts to gain higher system privileges

Worm Indicators:

• Self-Replication: Automatic spreading to other systems
• Network Propagation: Rapid spread across network segments
• Resource Consumption: High network bandwidth and system resource usage
• Email Propagation: Mass email sending from infected systems
• Vulnerability Scanning: Scanning for vulnerable systems to infect
• System Instability: Crashes and performance issues

Spyware Indicators:

• Keystroke Logging: Capturing user input and passwords
• Screen Capture: Taking screenshots of user activities
• Data Collection: Gathering personal and sensitive information
• Browser Hijacking: Redirecting web searches and homepage changes
• Ad Injection: Unwanted advertisements and pop-ups
• System Monitoring: Tracking user behavior and activities

Bloatware Indicators:

• Unwanted Software: Pre-installed software consuming resources
• Performance Degradation: System slowdown and resource consumption
• Unnecessary Services: Background processes running without user knowledge
• Advertisements: Unwanted ads and promotional content
• Data Collection: Unauthorized data gathering and telemetry
• Difficult Removal: Software that is hard to uninstall

Virus Indicators:

• File Infection: Executable files becoming corrupted or modified
• System Instability: Frequent crashes and error messages
• Performance Issues: Slow system performance and response times
• File Size Changes: Unexpected changes in file sizes
• Boot Sector Issues: Problems with system startup and boot process
• Antivirus Alerts: Security software detecting malicious code

Keylogger Indicators:

• Keystroke Capture: Recording all keyboard input
• Credential Theft: Capturing usernames, passwords, and sensitive data
• Hidden Processes: Background processes not visible to users
• Network Transmission: Sending captured data to remote servers
• System Hooks: Low-level system hooks for input monitoring
• Stealth Operation: Operating without user knowledge or consent

Logic Bomb Indicators:

• Triggered Execution: Malicious code activated by specific conditions
• Time-Based Activation: Code execution at predetermined times
• Event-Based Triggers: Activation based on specific system events
• Data Destruction: Sudden deletion or corruption of files
• System Disruption: Intentional system crashes or failures
• Insider Threat: Often planted by disgruntled employees

Rootkit Indicators:

• System Hiding: Concealing malicious processes and files
• Privilege Escalation: Gaining root or administrator access
• Backdoor Access: Maintaining persistent unauthorized access
• Anti-Detection: Evading security software and monitoring
• System Modification: Altering system files and configurations
• Stealth Operation: Operating undetected for extended periods

Brute Force Indicators:

• Multiple Failed Attempts: Repeated unsuccessful login attempts
• Systematic Password Testing: Trying common or dictionary passwords
• Account Lockouts: Accounts being locked due to failed attempts
• Unusual Access Patterns: Login attempts from unexpected locations
• High-Frequency Attempts: Rapid succession of login attempts
• Automated Tools: Use of password cracking software

RFID Cloning Indicators:

• Duplicate Access Events: Same card used in multiple locations simultaneously
• Unusual Access Patterns: Access from unexpected times or locations
• Signal Interception: Detection of RFID signal capture attempts
• Physical Tampering: Evidence of card manipulation or cloning
• Access Log Anomalies: Inconsistent or impossible access records
• Security System Alerts: Warnings about suspicious card activity

Environmental Attack Indicators:

• Physical Intrusion: Unauthorized access to facilities
• Equipment Tampering: Evidence of hardware modification
• Environmental Monitoring: Alerts from physical security systems
• Unauthorized Personnel: Unknown individuals in restricted areas
• Equipment Theft: Missing or stolen hardware and devices
• Environmental Damage: Intentional damage to infrastructure

Amplified DDoS Indicators:

• Traffic Amplification: Small requests generating large responses
• DNS Amplification: Exploiting DNS servers for traffic amplification
• NTP Amplification: Using NTP servers to amplify attack traffic
• Bandwidth Exhaustion: Network bandwidth completely consumed
• Service Unavailability: Legitimate services becoming unreachable
• Multiple Source IPs: Attack traffic from numerous compromised systems

Reflected DDoS Indicators:

• Reflection Attacks: Using third-party servers to reflect attack traffic
• Spoofed Source IPs: Attack traffic appearing to come from victim
• Protocol Exploitation: Exploiting protocols like UDP for reflection
• Service Disruption: Target services becoming unavailable
• Network Congestion: Network infrastructure overwhelmed
• Legitimate Traffic Blocked: Normal users unable to access services

DNS Attack Indicators:

• DNS Poisoning: Corrupted DNS cache with malicious entries
• DNS Hijacking: Unauthorized changes to DNS configurations
• DNS Amplification: Using DNS servers to amplify attack traffic
• Domain Spoofing: Fake domains redirecting to malicious sites
• DNS Tunneling: Using DNS queries to exfiltrate data
• Resolution Failures: DNS queries failing or returning incorrect results

Wireless Attack Indicators:

• Rogue Access Points: Unauthorized wireless networks
• Evil Twin Attacks: Fake access points mimicking legitimate ones
• Signal Interception: Capturing wireless communications
• WEP/WPA Cracking: Exploiting weak wireless encryption
• Man-in-the-Middle: Intercepting wireless communications
• Jamming Attacks: Disrupting wireless communications

On-Path Attack Indicators:

• Traffic Interception: Capturing network communications
• Data Modification: Altering data in transit
• Session Hijacking: Taking over established sessions
• ARP Spoofing: Manipulating network address resolution
• SSL/TLS Stripping: Downgrading encrypted connections
• Network Redirection: Redirecting traffic to malicious destinations

Credential Replay Indicators:

• Captured Credentials: Intercepted authentication data
• Reused Authentication: Using captured credentials for unauthorized access
• Session Replay: Replaying captured authentication sessions
• Network Sniffing: Capturing network traffic containing credentials
• Unauthorized Access: Access using previously captured credentials
• Timing Anomalies: Authentication attempts with unusual timing

Malicious Code Indicators:

• Code Injection: Malicious code inserted into legitimate applications
• Script Execution: Unauthorized execution of malicious scripts
• File Modifications: Unauthorized changes to system files
• Process Injection: Malicious code injected into running processes
• Memory Manipulation: Unauthorized modifications to system memory
• System Compromise: Evidence of system compromise and control

Injection Attack Indicators:

• SQL Injection: Malicious SQL commands in application inputs
• Command Injection: System commands executed through applications
• LDAP Injection: Malicious LDAP queries in application inputs
• XML Injection: Malicious XML content in application inputs
• Code Injection: Malicious code inserted into applications
• Database Manipulation: Unauthorized database access and modification

Buffer Overflow Indicators:

• Application Crashes: Programs crashing due to memory corruption
• Memory Corruption: Evidence of memory manipulation
• Code Execution: Unauthorized code execution on target systems
• Privilege Escalation: Gaining higher privileges through exploitation
• System Instability: System crashes and unpredictable behavior
• Security Bypass: Circumventing security controls

Replay Attack Indicators:

• Duplicate Transactions: Repeated identical transactions
• Session Replay: Replaying captured authentication sessions
• Message Replay: Reusing captured network messages
• Timestamp Anomalies: Transactions with unusual timing
• Sequence Number Issues: Out-of-order or duplicate sequence numbers
• Authentication Bypass: Gaining access without proper authentication

Privilege Escalation Indicators:

• Unauthorized Access: Access to resources beyond user permissions
• Administrative Actions: System changes by non-administrative users
• Permission Changes: Unauthorized modifications to user permissions
• System Modifications: Changes to system files and configurations
• Service Manipulation: Starting or stopping system services
• Account Creation: Creating new user accounts with elevated privileges

Forgery Attack Indicators:

• Fake Documents: Forged certificates, licenses, or credentials
• Digital Signature Forgery: Falsified digital signatures
• Email Spoofing: Forged email headers and sender information
• Website Forgery: Fake websites mimicking legitimate ones
• Identity Theft: Using stolen or forged identities
• Document Tampering: Unauthorized modifications to documents

Directory Traversal Indicators:

• Path Manipulation: Using "../" sequences to access parent directories
• Unauthorized File Access: Accessing files outside intended directories
• System File Exposure: Accessing sensitive system files
• Configuration Access: Reading application configuration files
• Log File Access: Accessing system and application logs
• Source Code Exposure: Accessing application source code

Downgrade Attack Indicators:

• Protocol Downgrade: Forcing use of weaker security protocols
• Algorithm Downgrade: Using weaker encryption algorithms
• Key Size Reduction: Using shorter encryption keys
• Feature Disabling: Disabling security features and controls
• Compatibility Exploitation: Exploiting backward compatibility
• Security Bypass: Circumventing strong security controls

Collision Attack Indicators:

• Hash Collisions: Different inputs producing same hash values
• Digital Signature Forgery: Creating valid signatures for different messages
• Certificate Forgery: Creating fake certificates with valid signatures
• Data Integrity Compromise: Modifying data without changing hash
• Authentication Bypass: Bypassing authentication using hash collisions
• Cryptographic Weakness: Exploiting hash function vulnerabilities

Birthday Attack Indicators:

• Hash Collision Search: Systematic search for hash collisions
• Statistical Analysis: Using probability theory to find collisions
• Brute Force Attempts: Large numbers of hash calculations
• Digital Signature Attacks: Forging signatures using collisions
• Certificate Attacks: Creating fake certificates
• Cryptographic Exploitation: Exploiting hash function weaknesses

Password Spraying Indicators:

• Multiple Account Attempts: Trying same password across many accounts
• Common Password Usage: Using frequently used passwords
• Low-Frequency Attempts: Spreading attempts over time to avoid detection
• Account Lockout Avoidance: Not triggering account lockout policies
• Successful Logins: Gaining access with common passwords
• Automated Tools: Use of password spraying software

Brute Force Indicators:

• Systematic Password Testing: Trying all possible password combinations
• High-Frequency Attempts: Rapid succession of login attempts
• Dictionary Attacks: Using word lists and common passwords
• Account Lockouts: Accounts locked due to failed attempts
• Automated Tools: Use of password cracking software
• Resource Consumption: High CPU usage during password attempts

Account Lockout Indicators:

• Failed Login Attempts: Multiple unsuccessful authentication attempts
• Brute Force Attacks: Systematic password guessing attempts
• Account Compromise: Unauthorized access attempts
• Policy Violations: Exceeding maximum failed attempt limits
• Security Alerts: System notifications about lockout events
• User Complaints: Legitimate users unable to access accounts

Concurrent Session Indicators:

• Multiple Logins: Same user logged in from multiple locations
• Impossible Travel: Logins from geographically impossible locations
• Session Sharing: Credentials shared among multiple users
• Account Compromise: Unauthorized use of legitimate accounts
• Policy Violations: Exceeding concurrent session limits
• Security Alerts: System notifications about concurrent sessions

Blocked Content Indicators:

• Firewall Blocks: Network traffic blocked by security controls
• Content Filtering: Web content blocked by filtering systems
• Malware Detection: Malicious content identified and blocked
• Policy Violations: Content violating organizational policies
• Security Alerts: Notifications about blocked content
• User Complaints: Legitimate content being blocked

Impossible Travel Indicators:

• Geographic Impossibility: Logins from physically impossible locations
• Time Anomalies: Logins with impossible time differences
• Account Compromise: Unauthorized access from distant locations
• VPN Usage: Use of VPNs to mask actual locations
• Proxy Servers: Access through proxy servers in different countries
• Security Alerts: System notifications about impossible travel

Resource Consumption Indicators:

• High CPU Usage: Unusually high processor utilization
• Memory Exhaustion: System memory being fully consumed
• Disk Space Depletion: Storage space being rapidly consumed
• Network Bandwidth: Unusually high network traffic
• Performance Degradation: System slowdown and unresponsiveness
• Service Disruption: Services becoming unavailable

Resource Inaccessibility Indicators:

• Service Unavailability: Services becoming unreachable
• Network Connectivity Issues: Network connections failing
• File Access Denied: Unable to access required files
• Database Connectivity: Database connections failing
• Authentication Failures: Unable to authenticate to services
• System Crashes: Systems becoming unresponsive

Out-of-Cycle Logging Indicators:

• Unusual Log Patterns: Logging occurring outside normal schedules
• Excessive Logging: Unusually high volumes of log entries
• Log Manipulation: Unauthorized modifications to log files
• Log Deletion: Log files being deleted or cleared
• Log Tampering: Evidence of log file modification
• Security Bypass: Attempts to hide malicious activity

Published/Documented Indicators:

• Security Advisories: Published information about vulnerabilities
• CVE Publications: Common Vulnerabilities and Exposures
• Vendor Notifications: Security bulletins from software vendors
• Threat Intelligence: Published threat actor techniques
• Security Research: Published research on security vulnerabilities
• Media Reports: Public reports of security incidents

Missing Logs Indicators:

• Log Gaps: Missing log entries for specific time periods
• Log Deletion: Evidence of log file deletion
• Log Tampering: Unauthorized modifications to log files
• System Compromise: Logging disabled by attackers
• Cover-up Attempts: Attempts to hide malicious activity
• Forensic Challenges: Difficulty in investigating incidents