keyscan_start

hashdump

persistence

getsystem

AThis scenario is testing recognition of a post-exploitation objective focused on covertly observing user activity, specifically “input patterns,” which directly aligns with keystroke capture or keylogging behavior. In CEH coverage of System Hacking and Post-Exploitation, attackers who already have interactive access commonly shift to information-gathering actions that reveal credentials and sensitive business data without performing noisy changes such as privilege escalation or writing artifacts to disk. Keystroke monitoring is a classic example because it can capture usernames, passwords, internal system commands, chat messages, and other sensitive inputs as the user works, often with lower visibility than actions that alter system configuration.The remaining options map to different post-exploitation goals and are less consistent with the prompt’s emphasis on stealth and “no obvious signs of tampering.” Dumping password hashes (hashdump) targets stored credential material and is typically associated with higher privilege requirements and higher detection potential due to access to sensitive security databases. Persistence is about maintaining long-term access across reboots and usually introduces artifacts such as registry changes, scheduled tasks, or services—precisely the type of detectable modification the prompt says Devon wants to avoid. Privilege escalation (getsystem) explicitly attempts to elevate rights, increasing operational risk and logging footprint.From a defensive perspective, CEH emphasizes mitigating this class of activity with strong endpoint monitoring and EDR, least-privilege controls, rapid patching, application allowlisting, and credential protections such as MFA and hardened authentication storage. Teams should alert on suspicious input-capture behaviors, abnormal process activity, and unusual remote sessions to detect post-exploitation collection attempts early.