1.2 Given a scenario, analyze indicators of potentially malicious activity.
📘CompTIA CySA+ (CS0-003)
A host is any computer, server, or device on a network. Attackers often target hosts to steal data, disrupt operations, or gain control. Detecting suspicious behavior on hosts is crucial for cybersecurity analysts. Here’s what to look for:
1. Processor Consumption (CPU Usage)
- What it is: The CPU is the part of a computer that runs programs. It processes instructions from the OS and applications.
- Malicious indicator: If the CPU usage is unusually high when the host is idle or running normal programs, it could be a sign of:
- Malware mining cryptocurrency
- Running unauthorized scripts
- Botnet activity
- Detection methods:
- Task Manager (Windows),
toporhtop(Linux) - Endpoint detection tools
- Task Manager (Windows),
- Exam tip: Sudden spikes in CPU usage without user activity = suspicious.
2. Memory Consumption (RAM Usage)
- What it is: Memory (RAM) stores data temporarily while programs run.
- Malicious indicator:
- Malware may consume large amounts of memory to operate in the background.
- Memory leaks in malware can cause performance drops.
- Detection methods:
- Check memory usage per process
- Look for unknown processes consuming large memory
- Exam tip: Abnormal memory usage can signal hidden malicious activity.
3. Drive Capacity Consumption (Disk Usage)
- What it is: Disk storage holds files, programs, and the OS.
- Malicious indicator:
- Ransomware may rapidly encrypt files, increasing disk usage.
- Malware may download or store large amounts of data.
- Detection methods:
- Disk monitoring tools
- File system auditing
- Exam tip: Rapid unexplained increase in disk usage = suspicious.
4. Unauthorized Software
- What it is: Programs installed without IT approval.
- Malicious indicator:
- Software installed by attackers to maintain access or steal data
- Detection methods:
- Software inventory checks
- Endpoint management tools
- Exam tip: Unexpected software on a host may be malicious.
5. Malicious Processes
- What it is: A process is a running program on a host.
- Malicious indicator:
- Processes with unusual names
- Processes running from unusual file locations
- Processes trying to hide themselves
- Detection methods:
- Process monitoring tools
- Compare running processes to known baselines
- Exam tip: Suspicious processes = strong indicator of compromise.
6. Unauthorized Changes
- What it is: Any change to system configurations, settings, or files without approval.
- Malicious indicator:
- Attackers modify system files or configurations to avoid detection
- Detection methods:
- Configuration management
- File integrity monitoring
- Exam tip: Unauthorized changes = potential compromise.
7. Unauthorized Privileges
- What it is: Access rights given to a user or process.
- Malicious indicator:
- A user suddenly gaining admin/root rights
- Malware creating new privileged accounts
- Detection methods:
- Privilege auditing
- User account monitoring
- Exam tip: Changes in privilege levels can signal an attack.
8. Data Exfiltration
- What it is: Unauthorized transfer of data from a host to outside locations.
- Malicious indicator:
- Sensitive data leaving the network unexpectedly
- Large outbound data transfers
- Detection methods:
- Network monitoring for unusual uploads
- Data loss prevention (DLP) tools
- Exam tip: Sudden outbound data = possible breach.
9. Abnormal OS Process Behavior
- What it is: The operating system runs standard processes.
- Malicious indicator:
- Standard processes behaving unusually (e.g.,
explorer.execonnecting to the internet) - Processes spawning many child processes quickly
- Standard processes behaving unusually (e.g.,
- Detection methods:
- Process behavior monitoring
- Behavioral baselines
- Exam tip: OS processes doing unusual things = suspicious.
10. File System Changes or Anomalies
- What it is: Changes to files and directories on the host.
- Malicious indicator:
- Unexpected file creation, deletion, or modification
- Strange file extensions or hidden files
- Detection methods:
- File integrity monitoring (FIM)
- Log reviews
- Exam tip: Unexpected file changes = likely malware or insider activity.
11. Registry Changes or Anomalies (Windows Hosts)
- What it is: Windows registry stores system settings and configuration data.
- Malicious indicator:
- Malware adds keys to auto-start at boot
- Changes to critical system settings
- Detection methods:
- Registry monitoring tools
- Baseline comparisons
- Exam tip: Unknown registry modifications = high suspicion of compromise.
12. Unauthorized Scheduled Tasks
- What it is: Tasks set to run automatically on a schedule.
- Malicious indicator:
- Attackers create scheduled tasks to maintain persistence
- Tasks executing scripts or malware at odd times
- Detection methods:
- Review Task Scheduler (Windows) or
cronjobs (Linux) - Endpoint monitoring
- Review Task Scheduler (Windows) or
- Exam tip: Unexpected scheduled tasks = malicious activity possible.
✅ Quick Summary Table for Exam
| Indicator | Suspicious Sign |
|---|---|
| CPU Usage | High usage when idle |
| Memory | Large unknown process consumption |
| Disk | Rapid storage growth |
| Unauthorized Software | Unexpected programs installed |
| Malicious Processes | Strange names, unusual locations |
| Unauthorized Changes | Configs or files changed without approval |
| Privileges | Users gain admin/root rights unexpectedly |
| Data Exfiltration | Large or unusual outbound transfers |
| Abnormal OS Behavior | Standard processes acting weird |
| File System Changes | Unexpected file creation/deletion |
| Registry Changes | Unknown registry keys/modifications |
| Scheduled Tasks | New tasks created without admin knowledge |
