Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

Reconnaissance is the correct phase because the scenario explicitly states Sarah starts by gathering publicly available information about employees and infrastructure. In the Cyber Kill Chain, reconnaissance is the first phase where an attacker collects intelligence to understand the target and identify the most effective paths for compromise. In CEH-aligned methodology, this includes open-source intelligence activities such as discovering employee names, roles, emails, technology stack clues, exposed services, and organizational patterns that help craft realistic and convincing attack lures.

The question mentions that Sarah plans to craft a mock phishing email and later deploy a harmless payload. Those actions map to later kill chain phases: delivery is when the phishing email or malicious link is sent to the target, and exploitation is when a vulnerability is triggered to execute code or gain access. Weaponization is the step where an attacker prepares the malicious artifact, such as packaging an exploit with a payload or preparing a document or link to deliver. However, the key wording is that Sarah “begins” by collecting public information and is asked which phase she should prioritize to simulate the adversary’s approach effectively. That is reconnaissance, because effective phishing and subsequent steps depend on accurate target profiling, believable pretexts, and identifying likely weak points based on what is learned during intelligence gathering.

Therefore, to match the described starting point and the kill chain sequence, the prioritized phase is Reconnaissance.

This question focuses on API Security, Webhooks abuse, and Webshell mitigation, all of which are addressed in the CEH v13 Web Application Hacking and Security Operations modules. The most appropriate corrective action is Option D, as it directly addresses the root causes and persistence mechanisms of the compromise.

According to CEH v13, attackers frequently exploit improper input validation in APIs and insecure webhook implementations to inject malicious payloads or gain remote command execution. Webhooks, when not properly validated, can accept malicious requests that trigger backend processes, making them a common vector for API abuse.

Input validation on all API endpoints is critical to prevent injection attacks, including command injection and SQL injection. CEH v13 explicitly emphasizes validating request parameters, headers, and payload structures to prevent malicious manipulation.

Reviewing webhook payloads ensures that only trusted sources can trigger automated actions, preventing attackers from abusing webhook functionality. This includes validating signatures, enforcing authentication, and restricting allowed payload formats.

Finally, regular scanning for webshells is essential because webshells provide persistent backdoor access. CEH v13 identifies webshell detection as a key defensive measure during incident response and post-exploitation containment.

Other options are incomplete:

A WAF alone cannot detect all webshells.

IP blocking is ineffective against spoofed or cloud-based attacks.

MFA and server hardening are valuable but do not directly address webhook abuse or existing webshells.

Therefore, Option D provides the most comprehensive, CEH v13–aligned mitigation strategy.

Once initial access is obtained—especially through weak or default credentials—the CEH system hacking methodology directs the tester to proceed to privilege escalation. The objective is to elevate user-level access to administrative or system-level privileges so the attacker can perform unrestricted actions such as installing tools, modifying configurations, accessing protected files, and pivoting laterally. CEH materials emphasize using privilege escalation vulnerabilities, such as misconfigured services, kernel exploits, unpatched local privilege escalation flaws, weak file permissions, and token impersonation. A denial-of-service attack is counterproductive and does not support post-exploitation goals. XSS is a web application attack vector and unrelated to operating system privilege manipulation. Brute-forcing the root password is noisy, slow, and unnecessary when authenticated access is already established. Therefore, exploiting a known local privilege escalation vulnerability is the appropriate CEH-aligned next step.

The central failure in the scenario is that a lost smartphone remained capable of accessing sensitive data, which means the organization lacked an effective lost device response control. In CEH-aligned mobile security guidance, one of the most important protections for lost or stolen devices is the ability to remotely secure the endpoint by locking it and wiping corporate data. This is typically implemented through Mobile Device Management tools and enterprise mobility controls. Registering devices with a remote locate and wipe facility ensures the security team can immediately take action once a device is reported missing, reducing the window in which an attacker can use stored sessions, cached credentials, saved tokens, or application access to reach protected resources such as patient records.

Option C is the best answer because it addresses both key needs implied by the incident: location capability to aid recovery and remote wipe to eliminate data exposure if recovery is uncertain. In healthcare environments, where protected health information is highly sensitive, CEH documentation emphasizes compensating controls that protect confidentiality when physical control of the device is lost. Remote wipe supports incident containment by preventing further access and limiting data disclosure.

Option B only provides tracking and does not guarantee data protection if the device cannot be recovered quickly. Option A helps protect data in transit on untrusted networks, but it does not solve the risk of a stolen device already authenticated to internal systems. Option D can help overall hygiene, but antivirus and DLP do not reliably stop misuse of a legitimately authenticated, lost device. Remote locate and wipe is the most direct mitigation for this exact gap.

Fragmentation is a well-known firewall and IDS evasion technique covered in CEH materials. The attacker breaks a malicious packet into smaller IP fragments so that simple filtering devices, especially those relying mainly on basic header checks or stateless rules, may fail to reconstruct the original payload and therefore miss the malicious content. To counter this, defenses must track packet state and perform reassembly or validation of fragmented traffic so the security control can evaluate the complete communication stream rather than isolated fragments.

Stateful Packet Inspection is the control most aligned with this requirement. A stateful inspection firewall maintains a state table of active connections and monitors traffic as part of an ongoing session. Because it tracks session context, it can handle fragmented packets more effectively by correlating fragments to the original flow and applying policy after reconstructing or normalizing traffic. In CEH-aligned descriptions, this directly reduces the effectiveness of fragmentation-based evasion, overlapping with the concept of traffic normalization that removes ambiguity attackers try to exploit.

Deep Packet Inspection examines payload beyond headers, but the key success factor in stopping fragmentation evasion is state tracking and reassembly, which is characteristic of stateful inspection and state-aware security devices. Signature-based and anomaly-based detection can help detect malicious patterns or unusual behavior, but without reliable reassembly and session context, fragmented payloads may not match signatures and may appear benign in isolation. Therefore, the most likely measure used to identify and block fragmented packets in this scenario is Stateful Packet Inspection.

A logic bomb is malware or malicious code that is deliberately planted within a system and configured to execute when a specific condition is met, such as a particular date and time, a user action, or the presence or absence of a file. CEH materials describe logic bombs as condition-based triggers that can remain dormant for extended periods, producing minimal indicators until the trigger occurs. The most decisive clue in this scenario is the “scheduled task set to a specific date,” followed by abnormal behavior that appears only after that date passes. This is a textbook trigger mechanism used to activate malicious actions while avoiding early detection.

The “odd email from an unfamiliar source” suggests an initial delivery or social engineering vector, but the core behavior is the delayed activation. The later “faint increase in network activity only after the scheduled date passed” aligns with a logic bomb executing a payload such as beaconing, data exfiltration, or enabling remote access. The “unusual code traces on a dormant workstation” further supports the idea of implanted code that was inactive until triggered.

Fileless malware emphasizes execution in memory using legitimate tools such as PowerShell or WMI and is defined more by its living-off-the-land technique than by a date-based trigger. An APT describes a broader campaign style involving long-term, multi-stage intrusion, not a single defining trigger artifact. Ransomware is characterized by encryption and extortion behavior, which is not described. Therefore, the threat is best characterized as a logic bomb.

Spear-phishing is a targeted form of phishing that uses personalized and context-rich information to increase credibility. CEH emphasizes that referencing specific internal projects, financial data, or organizational events significantly raises the success rate when attacking high-value targets such as executives. This tailored approach avoids suspicion and exploits trust more effectively than broad or generic phishing attempts.

Virtual Patching is a risk-mitigation technique emphasized in CEH v13 Security Operations. It involves deploying compensating controls—such as WAF rules, IPS signatures, or firewall policies—to block exploitation attempts without modifying the vulnerable system.

CEH v13 highlights virtual patching as especially useful when:

Downtime is unacceptable

Vendor patches are delayed

Legacy systems are in use

Monitoring alone does not prevent exploitation, and shutting down systems is often impractical. Virtual patching provides immediate protection while maintaining availability.

CEH v13 identifies spear-phishing as one of the most effective and targeted social engineering methods. It involves crafting highly personalized messages that reference real events, internal processes, or upcoming activities to build credibility and reduce suspicion. In this scenario, referencing board meetings—an event executive assistants frequently handle—creates a believable and urgent context for the request. CEH emphasizes that personalization significantly increases success rates because recipients perceive the sender as someone with legitimate access to internal information. A phone call impersonating IT support (Option B) is less convincing for retrieving agenda access-specific credentials. Mass phishing (Option C) lacks personalization and is easily flagged. LinkedIn social engineering (Option D) is long-term and less effective for obtaining immediate credentials. Therefore, a tailored spear-phishing email is the most effective approach.

The CEH DDoS Mitigation Strategies section explains that load balancing distributes traffic across multiple servers or infrastructure components to prevent any single resource from being overwhelmed.

By using hardware load balancers and cloud-based traffic distribution, organizations can:

Absorb large volumes of attack traffic

Maintain service availability

Ensure legitimate users are served

Option B is correct and directly matches CEH’s definition.

Option A drops all traffic, including legitimate requests.

Option C focuses on traffic analysis rather than distribution.

Option D limits traffic rather than distributing it.

CEH strongly recommends load balancing as a core DDoS resilience mechanism.

The strongest indicator in this scenario is that multiple compromised hosts are “behaving like zombies,” communicating outbound to a single unfamiliar external IP over high ports, and “silently accept remote instructions” while performing “coordinated background tasks.” In CEH-aligned malware terminology, these are hallmark characteristics of a botnet: a collection of infected endpoints (bots/zombies) under centralized or semi-centralized command-and-control. Worm-like propagation explains how the compromise rapidly expanded across the internal network—using shared folders and stolen credentials for lateral spread—while the “backdoor component” provides persistent remote control functionality once a system is infected. The observed coordination across many hosts strongly suggests the attacker’s goal is not merely individual surveillance of a single machine, but scalable remote control of many machines at once.

Option A, data exfiltration, is plausible in many intrusions, but the question emphasizes orchestration and remote tasking across many endpoints rather than targeted theft from specific repositories. Option B is inconsistent because there is no mention of encryption, ransom notes, or disruption-focused behavior. Option D, a RAT, typically describes remote control of a host, but the scenario’s defining feature is the creation of many “zombies” with coordinated behavior—this aligns more precisely with building a botnet for command and control, which can later be used for data theft, DDoS, spam, or further intrusion operations.

CEH defensive guidance includes monitoring egress traffic anomalies, detecting C2 patterns, segmenting networks to limit worm spread, disabling unnecessary shares, enforcing strong credential hygiene, and using EDR to identify backdoors and lateral movement behaviors.

The correct answer is Spearphone Attack. CEH mobile platform coverage describes Spearphone as a side-channel attack in which motion sensors, such as accelerometers or gyroscopes, are abused to infer or reconstruct audio from vibrations produced by a phone’s loudspeaker. A key feature of this technique is that it may not require direct microphone access, which helps explain why no microphone permission changes or visible recording indicators appeared on the device. That detail is central to the scenario. The installed app continuously collected motion sensor data while speakerphone conversations occurred, and the information was later analyzed remotely to reconstruct acoustic content. That behavior is a textbook match for Spearphone. Android camera hijack attacks involve camera access, not speaker vibration analysis. Camfecting refers to webcam compromise, and Storm Breaker Abuse does not describe this sensor-based audio inference method. CEH materials use this example to show that seemingly low-risk sensors can still create serious privacy and espionage threats when correlated with physical effects such as sound-induced vibration. Because the attack depends on speaker-generated motion data rather than direct audio recording, Spearphone is the best answer.

Packet fragmentation is a well-documented IDS evasion technique in CEH v13 Network and Perimeter Hacking. Attackers fragment packets to evade detection by overwhelming or confusing intrusion detection systems, especially those that rely on simple pattern matching.

CEH v13 explains that anomaly-based IDS systems are particularly effective against evasion techniques like packet fragmentation because they analyze deviations from normal network behavior, rather than relying on static signatures. Fragmented packets often create unusual traffic patterns, abnormal packet sizes, or irregular reassembly behavior, which anomaly-based systems are designed to detect.

Signature-based IDS solutions struggle against fragmentation because attackers can split malicious payloads across multiple packets in ways that bypass predefined signatures. Rejecting all fragmented packets (Option C) is impractical and could disrupt legitimate network communication, as fragmentation is a normal part of TCP/IP networking.

Recognizing regular intervals (Option A) is unreliable, as attackers can randomize packet timing. CEH v13 clearly recommends anomaly-based detection to counter advanced evasion techniques.

Thus, Option B is the most effective and CEH-aligned IDS configuration.

The Certified Ethical Hacker (CEH) Cloud Computing module emphasizes that serverless environments rely heavily on granular permission models. Attacks involving compromised APIs often succeed because functions are granted excessive privileges.

Option D is correct because enforcing function-level permissions and the principle of least privilege directly limits what a compromised function can execute. CEH documentation states this is the primary defense against serverless abuse.

Option A is beneficial but reactive.

Option B focuses on SaaS governance rather than FaaS execution control.

Option C provides visibility but does not directly prevent privilege misuse.

CEH highlights identity and access management (IAM) as critical in serverless security.

The CEH IDS/IPS Evasion module describes packet fragmentation as a common evasion technique used to bypass signature-based detection.

Option B is correct.

Other options represent different attack categories.

CEH highlights reassembly normalization as a countermeasure.