Section 19 – Malicious Activity: Overview

Section 19 – Malicious Activity: Overview

This section typically covers:

Types of Malicious Code:

Viruses, worms, trojans, ransomware, rootkits, keyloggers

Attack Techniques:

Backdoors, logic bombs, privilege escalation, social engineering vectors

Indicators of Compromise (IOCs):

Unusual outbound traffic, user account anomalies, system file changes

APT (Advanced Persistent Threats):

Characteristics, lifecycle stages (reconnaissance, persistence, etc.)

Detection & Response:

Use of IDS/IPS, EDR, SIEM, endpoint monitoring

User Behaviour Analytics (UBA):

Tracking deviations from normal usage patterns

🔍 Key Concepts to Focus On:

Differences between malware types

Methods of infection and propagation

Real-world examples (e.g., WannaCry, SolarWinds)

Preventative controls (anti-malware, patching, access controls)

Containment and eradication strategies

🧪 Quiz Tip:

Look for “most effective first response” type questions

Be able to identify malware types based on described behaviours

 

 

SECTION 19 – MALICIOUS ACTIVITY: STUDY GUIDE (CompTIA Security+)
🔹 1. Malware Types and Characteristics
Malware Type Key Traits Delivery Example
Virus Needs host file, spreads when file is executed Email attachments, downloads Michelangelo virus
Worm Self-replicating, no host file needed Network scanning/exploitation Code Red, Conficker
Trojan Horse Disguised as legitimate software Software bundles, phishing Zeus Trojan
Ransomware Encrypts files, demands payment Phishing, RDP attacks WannaCry, Locky
Spyware Collects user info without consent Bundled installs CoolWebSearch
Keylogger Records keystrokes Trojan payloads Commercial or APT
Rootkit Hides malware in OS Exploits, social engineering Sony BMG rootkit
Logic Bomb Triggers on conditions Insider threats Timed code execution

🔹 2. Common Malware Behaviours
Persistence: Maintains access across reboots (e.g., registry keys, services)

Privilege Escalation: Gains higher permissions (e.g., kernel exploit)

Backdoors: Hidden method for reentry post-compromise

Polymorphic Malware: Changes its code to avoid detection

Fileless Malware: Runs in memory (uses PowerShell, WMI)

🔹 3. Indicators of Compromise (IOCs)
Unusual network traffic (to C2 servers)

Increased CPU usage (mining malware)

Unknown processes or services

Changes to system files or registry

Failed login attempts, account lockouts

🔹 4. Detection and Mitigation
Technique Tools Goal
Anti-malware/AV Windows Defender, Sophos Prevent & detect
EDR CrowdStrike, SentinelOne Endpoint threat response
IDS/IPS Snort, Suricata Detect network anomalies
SIEM Splunk, Graylog Log aggregation & alerting
Sandboxing FireEye, Cuckoo Isolate execution
Patching OS and apps Close vulnerabilities

🔹 5. Advanced Persistent Threats (APT)
Nation-state or sponsored actors

Multi-phase: Recon → Weaponize → Deliver → Exploit → Install → C2 → Exfil

Use zero-days, spear-phishing, lateral movement

Defense-in-depth required to contain

🔹 6. User Behavior Analytics (UBA)
Uses AI/ML to detect deviations (e.g., odd hours, large data uploads)

Correlates user activity with threat intelligence

🔚 Study Session Actions
Understand malware types by definition, vector, behavior

Practice identifying attack scenarios in quiz format

Learn detection stack: AV/EDR + SIEM + IDS + Sandboxing

Grasp APT lifecycle: persistence, stealth, privilege elevation