Analyze Malicious Activity for Security+ (SY0-701)
Recognize malware, password, application, physical, network, and cryptographic attacks well enough to separate them in Security+ scenarios.
Security+ uses malicious-activity questions to check whether you can identify what the attacker is doing right now. That sounds basic, but it is easy to confuse a password attack with a phishing vector, or a cryptographic downgrade issue with a generic network attack. The exam rewards precise classification because response priorities change with the attack type.
Credential stuffing: Reusing usernames and passwords stolen from another breach against a new service.
Password spraying: Trying one or a few common passwords across many accounts to avoid lockouts.
RAT: Remote access trojan, malware that gives the attacker hidden control over a victim system.
What the exam is really testing
CompTIA is usually checking whether you can:
- classify the attack behavior precisely enough to choose the right response
- distinguish credential attacks from delivery methods and underlying vulnerabilities
- understand that different malicious activity changes whether the next move is blocking, isolating, investigating, or recovering
Activity families you should recognize quickly
| Attack family | Examples |
|---|---|
| Malware | ransomware, trojan, worm, RAT, rootkit, logic bomb |
| Password attacks | brute force, password spraying, credential stuffing, keylogging |
| Application attacks | SQL injection, XSS, CSRF, SSRF, command injection |
| Physical attacks | tailgating, badge cloning, hardware tampering, shoulder surfing |
| Network attacks | DNS poisoning, ARP poisoning, DoS, on-path interception |
| Cryptographic attacks | downgrade attack, weak key use, collision abuse, birthday-style attacks |
Activity chooser
| Pattern | Strongest first label |
|---|---|
| Same password tried across many users | Password spraying |
| Stolen credentials reused from another breach | Credential stuffing |
| Malicious script delivered to another user’s browser | XSS |
| Database query manipulated through input | SQL injection |
| Traffic integrity or trust weakened by forced fallback | Downgrade or cryptographic attack |
| Encryption and extortion pressure on business systems | Ransomware |
Distinguish closely related attack types
- Password spraying tries a common password across many accounts.
- Credential stuffing reuses credentials stolen elsewhere.
- Brute force tries many possible passwords against one account or few accounts.
Security+ often presents these as similar-looking answer choices. The clue is usually the pattern of attempts and the source of the credentials.
Why exact classification matters
If you misclassify the activity, you can still miss the best next step:
- a credential-stuffing attack may point to breached credential reuse and stronger auth controls
- password spraying points more directly to broad low-and-slow login abuse against many accounts
- ransomware raises containment, backup, and recovery priorities that differ from a simple malware-alert scenario
Small log-style example
12026-03-28T14:10:01Z auth-fail user=ajones src=203.0.113.10
22026-03-28T14:10:03Z auth-fail user=mbrown src=203.0.113.10
32026-03-28T14:10:05Z auth-fail user=rwong src=203.0.113.10
What to notice:
- one source is trying many user accounts
- that pattern is more consistent with password spraying than brute force against a single account
Common traps
- calling every authentication attack brute force
- confusing XSS with SQL injection because both are “web attacks”
- forgetting that physical attacks can be part of an otherwise technical incident
- assuming ransomware is only about encryption and not about availability and recovery pressure
- treating downgrade or weak-crypto abuse like ordinary connectivity failure
What strong answers usually do
- classify the activity tightly enough that the right containment or detection move becomes obvious
- separate attacker behavior from the vector that delivered it and the vulnerability that enabled it
- notice whether the next priority is prevention, containment, investigation, or recovery
- use the attack pattern, not just the scary outcome, to choose the label
Harder scenario question
A public login portal shows thousands of failed sign-ins from one IP, each against a different employee username, all using the same seasonal password guess. Which classification is strongest?
A. Credential stuffing B. Password spraying C. SQL injection D. Tailgating
Best answer: B. The behavior is one password across many accounts, which is the defining pattern of password spraying.
Quiz
Continue with 2.5 Mitigation Techniques to connect attack recognition to the controls that actually reduce the risk.