Analyze indicators of malicious activity
This is the broadest PBQ objective on the exam. “Given a scenario” means you’ll be presented with evidence — logs, packet captures, system behavior, error messages — and asked to identify what attack is occurring and what indicators reveal it.
Malware Attacks
Ransomware
Encrypts victim’s files and demands payment for the decryption key.
- Indicators: Encrypted files with new extensions (.locked, .crypto), ransom note files in every directory, unusual encryption process consuming CPU/disk, C2 beaconing before encryption begins
- Variants: Crypto-ransomware (encrypts files), locker ransomware (locks the system), double extortion (encrypts + threatens data leak)
Trojans
Malware disguised as legitimate software. Requires user action to install.
- Indicators: Unknown processes with network connections, software performing actions beyond its stated purpose, unexpected outbound connections
- RAT (Remote Access Trojan): Provides attacker with remote control — webcam, keylogging, file access, shell access
Worms
Self-replicating malware that spreads across networks without user interaction.
- Indicators: Rapid network traffic spikes, identical processes appearing across multiple systems, bandwidth saturation, mass connection attempts on specific ports
Spyware
Collects information without the user’s knowledge.
- Indicators: Unexpected data exfiltration, microphone/camera activation, browser redirects, new toolbars or extensions, degraded system performance
- State-level: Zero-click spyware (Pegasus-style) leaves minimal visible indicators — detection requires mobile forensic tools, anomalous network behavior analysis, or compromised process analysis
Keyloggers
Records keystrokes to capture credentials, messages, and sensitive data.
- Software: Process monitoring reveals unknown input hooks. Often bundled with other malware.
- Hardware: Physical device between keyboard and computer. Requires physical inspection.
Logic Bombs
Malicious code that triggers on a specific condition (date, event, account deletion).
- Indicators: Dormant code discovered during code review, scheduled tasks with destructive payloads, insider threat pattern (often planted by disgruntled employees)
Rootkits
Malware that hides deep in the system to maintain persistent, undetected access.
- Kernel-level: Modifies the OS kernel. Invisible to standard antivirus.
- Bootkit: Infects the boot process. Loads before the OS.
- Indicators: Discrepancies between tools — one tool shows a process/file that another doesn’t. Cross-referencing raw disk reads against OS file listings.
- Detection: Boot from trusted media and scan, integrity checking, behavior-based detection
Bloatware
Pre-installed software on devices that may collect data or introduce vulnerabilities.
- Not always malicious but increases attack surface and may include tracking functionality
Network Attacks
DDoS (Distributed Denial of Service)
Overwhelming a target with traffic from multiple sources.
- Volumetric: Flood bandwidth (UDP flood, DNS amplification, NTP amplification)
- Protocol: Exploit protocol weaknesses (SYN flood — filling the connection state table)
- Application: Target specific services (HTTP GET/POST floods, Slowloris)
- Indicators: Sudden traffic spike from many sources, service unavailability, source IPs from botnets, asymmetric traffic patterns
DNS Attacks
- DNS poisoning/spoofing: Injecting false DNS records to redirect traffic
- DNS tunneling: Encoding data in DNS queries to exfiltrate data or establish C2 through DNS traffic (bypasses many firewalls)
- Indicators: Unusually long DNS queries, high query volume to unknown domains, DNS responses that don’t match legitimate records
On-Path (Man-in-the-Middle)
Attacker positions themselves between two communicating parties.
- ARP poisoning: Associating attacker’s MAC with the gateway’s IP on the local network
- SSL/TLS stripping: Downgrading HTTPS to HTTP
- Indicators: Duplicate MAC addresses, ARP table anomalies, certificate warnings, unexpected network latency
Credential Replay
Capturing and reusing valid authentication tokens or hashes.
- Pass-the-hash: Using captured NTLM hashes without cracking the password
- Session hijacking: Stealing session cookies to impersonate authenticated users
- Indicators: Same credentials used from different IPs/locations, authentication without preceding login sequence
Wireless Attacks
- Evil twin: Rogue AP with legitimate SSID
- Deauth: Forcing clients off the network to capture reconnection handshakes
- Indicators: Multiple APs with same SSID, unexpected deauthentication frames, client connection instability
Application Attacks
Injection
Covered in 2.3 — SQL injection, command injection, LDAP injection, XML injection.
- Indicators: Unusual characters in logs (single quotes, semicolons, angle brackets), application errors referencing database syntax, unauthorized data access
Buffer Overflow
Program writes data beyond allocated memory boundaries.
- Indicators: Application crashes with memory corruption errors, segfault logs, unusual process behavior after crash (process continues running with elevated privileges = successful exploitation)
Replay Attacks
Capturing valid data transmission and retransmitting it.
- Indicators: Duplicate transactions, authentication events with identical timestamps/tokens, unexpected repeated actions
Directory Traversal
Accessing files outside the intended directory using path manipulation (../../etc/passwd).
- Indicators: Log entries containing
../, unauthorized access to system files, file access outside the web root
Privilege Escalation
- Indicators: User performing actions beyond their role, sudo/admin events from standard accounts, unexpected group membership changes
Cryptographic Attacks
Downgrade Attack
Forcing a system to use a weaker cryptographic protocol or cipher.
- Attacker intercepts negotiation and manipulates options (e.g., forcing TLS 1.0 instead of 1.3)
- Indicators: Connection using deprecated protocols when stronger options are available
Collision Attack
Finding two different inputs that produce the same hash.
- Relevant to MD5 and SHA-1 (both vulnerable)
- Used to forge digital signatures or certificates
Birthday Attack
Exploiting the mathematics of hash collisions — with enough attempts, collisions become likely faster than brute force.
Password Attacks
Brute Force
Trying every possible combination until the correct password is found.
- Indicators: High volume of failed authentication attempts from a single source, account lockouts
Password Spraying
Trying a small number of common passwords against many accounts.
- Avoids lockout thresholds by limiting attempts per account
- Indicators: Failed logins across many accounts within a short time frame, using common passwords
Dictionary Attack
Using a list of common passwords and words.
- Faster than brute force but limited to dictionary contents
Credential Stuffing
Using breached credentials from other sites against new targets.
- Exploits password reuse — why unique passwords matter
- Indicators: Successful logins from unusual locations using known-breached credentials
Indicator Recognition
These behavioral anomalies signal something is wrong even before you identify the specific attack:
| Indicator | What it suggests |
|---|---|
| Account lockout | Brute force or password spraying |
| Concurrent session usage | Credential compromise, session hijacking |
| Impossible travel | Login from NYC, then London 10 minutes later = compromised credentials |
| Missing logs | Attacker covering tracks, log tampering |
| Resource consumption | Cryptomining, DDoS participation, data exfiltration |
| Out-of-cycle logging | Processes running at unusual times |
| Blocked content | Malware attempting connections being stopped by controls |
| Resource inaccessibility | Ransomware, DoS, or destructive attack |
Offensive Context
Buffer overflow indicators make sense when you understand what a crash log with a corrupted RIP actually means — padding through the buffer, overwriting the saved frame pointer, hijacking the return address. Network attack patterns are the defensive mirror of protocol-level interception. Every indicator on this list is the forensic residue of a specific offensive technique. The better you understand the technique, the faster you recognize the indicator.