2.2 Indicators of malicious activity
📘CompTIA Security+ SY0-701
⚙️ 1. Injection Attacks
Definition:
Injection attacks happen when an attacker sends malicious input into an application to make it execute unintended commands or access unauthorized data.
Main Types:
- SQL Injection (SQLi):
The attacker inserts malicious SQL code into a query to manipulate a database.
For example, they might bypass login authentication and access sensitive records. - Command Injection:
The attacker tricks the system into running operating system (OS) commands.
Example: adding; rm -rf /to a form input could delete files if not properly filtered. - LDAP Injection:
Targets directory services like Active Directory by inserting malicious LDAP statements to access or modify user information.
Indicators of Injection Attacks:
- Unusual database errors (e.g., syntax or query errors).
- Unexpected application behavior after input submission.
- Unauthorized access or data exposure.
- Large spikes in database queries or logs showing suspicious input strings like
' OR 1=1--.
Prevention:
- Input validation and sanitization (filtering user inputs).
- Using prepared statements or parameterized queries.
- Employing web application firewalls (WAFs).
💥 2. Buffer Overflow
Definition:
A buffer overflow occurs when a program writes more data into a buffer (temporary memory area) than it can hold.
This extra data can overwrite nearby memory, leading to crashes or allowing the attacker to run malicious code.
How It Happens:
- Poorly coded software doesn’t check the length of user input.
- Attackers input long strings or data that exceed the buffer’s capacity.
- The extra data overwrites memory addresses, potentially giving the attacker control over the program.
Indicators:
- Unexpected program crashes or reboots.
- System behaving unpredictably.
- High CPU usage or abnormal memory activity.
- Logs showing unusually long input strings.
Prevention:
- Use programming languages with memory protection (like Python or Java).
- Implement input length checks and validation.
- Keep systems and software updated to patch vulnerabilities.
🔁 3. Replay Attack
Definition:
A replay attack happens when an attacker captures legitimate network traffic (like authentication tokens or session IDs) and reuses it later to impersonate a legitimate user or session.
Example in IT Context:
An attacker intercepts a user’s login request and replays it to gain access without knowing the password.
Indicators:
- Multiple identical authentication attempts within short time frames.
- Sessions that stay active unusually long.
- Duplicate transaction logs.
Prevention:
- Use encryption protocols that include timestamps or session tokens (like TLS).
- Implement nonce (a unique random value used once) in authentication processes.
- Enable multi-factor authentication (MFA) to verify real users.
- Use secure communication channels (HTTPS, VPN).
🔓 4. Privilege Escalation
Definition:
Privilege escalation occurs when an attacker gains higher-level access than they are supposed to have — such as turning a normal user account into an administrator.
Two Main Types:
- Vertical Escalation:
Attacker moves from a lower privilege to a higher one (e.g., user → admin). - Horizontal Escalation:
Attacker gains access to another user’s data at the same privilege level (e.g., user1 → user2).
How It Happens:
- Exploiting software bugs or misconfigurations.
- Using stolen credentials.
- Leveraging system vulnerabilities.
Indicators:
- Unauthorized changes to system or application configurations.
- Unusual admin-level commands run by non-admin users.
- Account permissions modified without approval.
Prevention:
- Apply the principle of least privilege.
- Regularly update and patch systems.
- Monitor logs for suspicious account behavior.
- Use endpoint detection and response (EDR) tools.
🧾 5. Forgery (Cross-Site Request Forgery – CSRF)
Definition:
Cross-Site Request Forgery (CSRF) tricks a logged-in user into performing unwanted actions on a web application, such as changing account settings or transferring data — all without their consent.
How It Works:
- The attacker sends a malicious link or script to a user already logged into a trusted site.
- When clicked, the user’s browser sends a valid request (using their stored session cookie) to perform an unauthorized action.
Indicators:
- Unexpected account changes or transactions.
- Requests appearing from valid sessions but initiated from external sites.
- Unusual activities performed by authenticated users.
Prevention:
- Use anti-CSRF tokens for every session.
- Validate origin and referrer headers.
- Log out inactive users automatically.
- Use SameSite cookies to limit cross-site requests.
📁 6. Directory Traversal
Definition:
A directory traversal attack (also known as path traversal) happens when an attacker manipulates file paths to access files and directories outside the intended web root folder.
Example in IT Context:
An attacker inputs something like ../../etc/passwd in a web form to access system files that should not be public.
Indicators:
- Web logs showing patterns like
../or..\in URLs. - Access to unauthorized or sensitive files.
- System error messages exposing file paths.
- Unexpected file downloads or disclosures.
Prevention:
- Restrict access to directories at the server level.
- Sanitize and validate all user input.
- Use allowlists (only permit specific files or folders).
- Disable unnecessary directory listings on web servers.
🧩 Summary Table for Quick Exam Revision
| Attack Type | Goal | Key Indicator | Prevention Technique |
|---|---|---|---|
| Injection | Execute malicious code in app | Database errors, strange queries | Input validation, WAF, parameterized queries |
| Buffer Overflow | Overwrite memory to execute code | Crashes, memory issues | Memory-safe languages, patching |
| Replay | Reuse captured valid data | Duplicate sessions | Encryption, nonces, timestamps |
| Privilege Escalation | Gain higher access | Unauthorized admin actions | Least privilege, patching, monitoring |
| Forgery (CSRF) | Trick user to perform action | Unintended changes | Anti-CSRF tokens, SameSite cookies |
| Directory Traversal | Access restricted files | Logs with “../” patterns | Input validation, access control |
✅ Exam Tip:
Security+ questions often describe a situation (like “an attacker sends unexpected SQL statements in a login form”) and ask you to identify the attack type or the indicator. Focus on understanding the goal and method of each attack — not just the definition.
