Indicator of compromise (IOC)

A specific, observable artifact (such as a malicious IP, file hash, domain, registry key, or unexpected admin account) that strongly suggests a system has been breached.

A user logs in from two geographically distant locations within a time frame that makes physical travel impossible, often indicating credential theft or account compromise.

A documented view of normal activity over time for systems and users, such as typical CPU usage, network traffic volumes, and login patterns, used to detect anomalies.

Regular, often small, outbound connections from an infected host to a command-and-control server, used by malware to receive instructions or exfiltrate data.

A virus attaches to files and requires user action to spread; a worm self-replicates across networks without user interaction, typically exploiting vulnerabilities.

Self-replicating malware that spreads across networks without user interaction, often by exploiting vulnerabilities or weak configurations.

Malicious code that attaches to a legitimate file or program and requires user action to execute and spread.

Malicious code disguised as legitimate software that tricks users into installing it, often used to deliver additional malware or create backdoors.

Indicators of Malicious Activity and Basic Malware Analysis — CompTIA Security+ (SY0-701) Mastery Course: Complete Exam-Ready Preparation

Big Picture: From Weird Behavior to Malicious Activity

From Theory to Detection

You have seen how attack surfaces and vulnerabilities work. Now we focus on what you see when something goes wrong: indicators of malicious activity and basic malware analysis.

Exam Connection

For SY0-701, many questions show logs or short scenarios and ask if behavior is normal, misconfigured, or malicious. This module trains that pattern-recognition skill.

Indicators vs IOCs

Indicators of malicious activity are any suspicious signs. Indicators of compromise (IOCs) are more concrete artifacts that strongly suggest a breach, like a known bad IP or malware hash.

Modern Environments

Today most orgs use a hybrid environment: cloud, mobile, IoT, OT, and on‑prem resources together. Indicators can appear in any of these layers and must be monitored.

Common Indicators of Malicious Activity (User, Network, System)

User / Account Indicators

Watch for impossible travel, repeated failed logins followed by success, and sudden privilege changes. These often indicate credential theft or brute-force activity.

Network Indicators

Suspicious signs include unusual outbound traffic, regular small "beaconing" connections to one IP, and many firewall or web filter blocks to risky domains.

Host / System Indicators

On endpoints, look for unexplained CPU or disk spikes, missing or disabled logs, and strange new processes or services that reappear when killed.

Baseline Behavior and Anomaly Detection

What is a Baseline?

A baseline is your documented picture of normal behavior: typical CPU, network flows, login times, and traffic volumes for systems and users.

What is Anomaly Detection?

Anomaly detection flags behavior that deviates strongly from the baseline, such as sudden large outbound transfers or unusual login locations.

Not Every Anomaly is Malicious

Spikes can come from legit events like updates or reports. Correlate anomalies with other indicators before treating them as incidents.

Common Malware Types and How to Tell Them Apart

Virus vs Worm

A virus needs user action and attaches to files. A worm self-replicates over networks without user help, often exploiting vulnerabilities.

Trojan and Ransomware

A trojan masquerades as legit software to trick users. Ransomware encrypts data or systems and displays ransom notes demanding payment.

Spyware, Keyloggers, RATs

Spyware monitors activity, keyloggers capture keystrokes, and RATs give attackers hidden remote control over infected hosts.

Fileless Malware

Fileless malware mainly lives in memory and abuses tools like PowerShell or macros, making signature-based AV less effective.

Network-Based Indicators: Visualizing Suspicious Traffic

Beaconing Example

Host 10.0.5.23 sends 2 KB over HTTPS to the same IP every 60 seconds, all day, even when logged out. That regular pattern suggests C2 beaconing.

Data Exfiltration Example

Host 10.0.8.10 usually sends 50–100 MB daily, but tonight sends 12 GB at 02:17 to a country with no offices. That spike suggests data exfiltration.

Blocked Content Example

Many users suddenly hit a new, shady domain flagged as malicious and blocked by the web gateway. This pattern suggests a phishing or malware campaign.

Reading Logs on the Exam

When logs show small, regular outbound connections from an idle machine, think C2 beaconing, not normal user traffic or backups.

Host-Based Indicators: Process, File, and Log Clues

Fake System Process

A process `svch0st.exe` runs from `C:\Users\Public` using high CPU. The real `svchost.exe` lives in `C:\Windows\System32`. This mismatch suggests malware.

Ransomware Indicators

Files now end in `.locked`, cannot be opened, and a `READMENOW.txt` ransom note appears in each folder. Classic ransomware behavior.

Tampered Logs and AV

Event logs show gaps and AV was disabled at 03:13 with no change request. Attackers often clear logs and disable protections to hide.

Mapping to Malware Types

Fake system processes with remote control hint at RATs; encrypted files plus ransom notes point to ransomware; stealthy data theft suggests spyware.

Thought Exercise: Benign Anomaly or Malicious Activity?

Work through these short scenarios. For each, decide if it is likely benign, suspicious but unclear, or strongly malicious. Then think: what would you check next?

Scenario A

A finance server’s CPU jumps from 10% to 85% every last day of the month from 22:00–23:00, generating heavy disk I/O. This pattern has been stable for the last 6 months.

Likely benign? Suspicious? Strongly malicious?
What would you confirm before ignoring it?

Scenario B

A sales user logs in from your home country at 09:05 and then from another continent at 09:22 the same day. The account then accesses an internal Git repository it has never used before.

Likely benign? Suspicious? Strongly malicious?
What logs or tools would you check?

Scenario C

Several users report that their browsers redirect to a fake login page when visiting your company’s intranet. DNS records for the intranet host were changed 20 minutes ago, but no change ticket exists.

Likely benign? Suspicious? Strongly malicious?
What immediate containment step would you take?

Scenario D

Your SIEM flags a new PowerShell script running on 50 endpoints. It is signed by your internal IT team and matches a recent maintenance change request.

Likely benign? Suspicious? Strongly malicious?
What quick verification could you perform?

Use this as a mental drill. The key habit is correlation: do not rely on a single indicator. Combine timing, baselines, user behavior, and change records to decide how serious an event is.

Basic Malware Analysis: Triage, Static vs Dynamic, and Practical Limits

Malware Triage Basics

First steps: list running processes and connections, find suspicious files, compute hashes, and isolate the host from the network to prevent spread.

Static Analysis Overview

Static analysis inspects malware without running it: file metadata, embedded strings, and AV/threat intel checks. It is safer but limited by obfuscation.

Dynamic Analysis Overview

Dynamic analysis runs malware in a sandbox or VM and observes behavior: file, registry, process, and network changes. It shows what the malware does.

Your Likely Role

As a Security+‑level analyst, you mainly recognize indicators, collect artifacts, preserve evidence, and escalate complex samples to specialists.

Initial Containment and Response Steps for IOCs

Contain First

When IOCs appear, first contain: isolate affected systems and block known malicious IPs/domains/hashes to stop spread and damage.

Preserve Evidence

Before rebooting or wiping, capture volatile data, collect logs, and document times and accounts. This supports investigation and compliance.

Eradicate and Recover

Then remove malware, patch vulnerabilities, reset credentials, and restore from clean backups, especially after ransomware.

GRC and Escalation

Involve your IR team and consider governance, risk, and compliance requirements, especially when regulated data or systems are affected.

Quiz 1: Recognizing Indicators and Malware Types

Test your understanding of indicators and malware behaviors.

A workstation shows constant 90–100% CPU usage when the user is idle. A process named "winupdate.exe" runs from C:\Users\Public and makes small, regular HTTPS connections to the same external IP every 45 seconds. Which option BEST describes what is happening?

Legitimate Windows Update process downloading patches
A worm self-replicating across the local network
A remote access trojan maintaining command-and-control communication
A fileless malware sample that cannot be detected by its process name

Show Answer

Answer: C) A remote access trojan maintaining command-and-control communication

The fake "winupdate.exe" in a user directory, high CPU on idle, and small, regular outbound connections strongly suggest a RAT with C2 beaconing. The real Windows Update service does not run from C:\Users\Public. A worm would show scanning and lateral movement, and fileless malware would typically abuse built-in tools like PowerShell rather than a clearly named EXE.

Quiz 2: Baselines, Anomalies, and Response

Apply baseline and response concepts to a short scenario.

Your SIEM alerts that a database server, which normally sends less than 500 MB/day outbound, has just sent 15 GB of data to an IP in a foreign country at 03:30. No maintenance is scheduled. What is the BEST immediate action?

Reboot the server to stop all current connections
Isolate the server from the network and begin collecting logs and connection details
Ignore the alert because it is likely a backup job
Immediately delete all logs on the server to prevent attacker access