CyberPathCompTIA Security+ Study Guide2.4 Indicators of Malicious Activity

Domain 2

2.4 Indicators of Malicious Activity

Analyze indicators of malicious activity.

0% Complete

1

2.4.1 Malware Attacks

Ransomware, trojan, worm, spyware, rootkit.

Malware is any malicious software designed to infiltrate, damage, or gain unauthorized access to a computer system or network.

Ransomware and Extortion Ransomware locks user data through high-level encryption (cryptomalware) and demands payment for the decryption key. - Encryption: Uses symmetric and asymmetric algorithms to render files unreadable. - Exfiltration: Modern attacks often include "double extortion," where data is stolen and threat actors threaten to leak it if the ransom is not paid. - Indicators: Sudden file extensions changes (e.g., .locked, .crypted), high CPU usage due to encryption processes, and ransom notes on the desktop.

Trojans and RATs A Trojan horse appears to be a legitimate, useful program but hides a malicious payload that executes once installed. - RAT (Remote Access Trojan): Provides a specialized backdoor for administrative control over a target system. - Payloads: Can include Keyloggers (capturing keystrokes to steal credentials) or spyware that monitors user activity. - Example: A free system utility downloaded from an untrusted site that secretly records webcam footage.

Worms and Self-Propagation Worms are standalone malware that self-replicate across network connections without requiring a host file or human interaction. - Self-Propagation: Uses network vulnerabilities (like SMB or RDP exploits) to jump from system to system. - Bandwidth Consumption: Often detected via massive network saturation or unusual traffic spikes. - Exam Trigger: Look for phrases like "spreads automatically" or "no user intervention required."

Spyware and Adware These focus on privacy invasion and data harvesting rather than system destruction. - Spyware: Secretly monitors browser history, cookies, and sensitive personal information. - Adware: Automatically displays advertisements or redirects browser homepages to generate revenue for the attacker. - Keylogger: A specific type of spyware used to capture passwords and credit card numbers by logging physical inputs.

Rootkits and Stealth Rootkits are designed to gain "root" or administrative level access while hiding their presence from the operating system. - Kernel-Level: Operates at the OS layer, allowing it to hide files, processes, and network connections from Task Manager or antivirus. - Persistence: Often survives reboots by modifying the boot sequence (UEFI/BIOS). - Indicators: System files being modified or antivirus software failing to launch.

Quick recall - Ransomware: Demand for payment; uses cryptanalysis/encryption to deny access. - Worm: Network-focused; self-replicating; clogs bandwidth. - Trojan: Social engineering; appears legitimate; requires user action to run. - Rootkit: Stealth; kernel access; invisible to standard OS monitoring tools. - RAT: Unsolicited remote control; allows attacker "hands-on-keyboard" access.

2

2.4.2 Physical Attacks

Brute force, RFID cloning, environmental.

3

2.4.3 Network Attacks

DDoS, DNS, wireless, on-path, replay.

4

2.4.4 Application Attacks

Injection, overflow, replay, privilege escalation.

5

2.4.5 Cryptographic & Password Attacks

6

2.4.6 Indicators

Lockouts, impossible travel, missing logs.