312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2026 Updated)

Insufficient logging and monitoring is the most direct threat highlighted by the scenario. In CEH-aligned cloud security concepts, visibility is foundational: without adequate telemetry, security teams cannot detect, investigate, or respond to malicious activity in time. The question explicitly states attackers “remained undetected” because the organization lacked mechanisms to track function-level activity and capture anomalous events. In a serverless architecture, this visibility gap can be especially damaging because there are no traditional servers for defenders to log into, and many security signals must be collected from cloud-native sources such as function invocation logs, API gateway logs, identity events, and centralized monitoring pipelines.

While privilege escalation is a common cloud threat, the question’s root cause is not described as excessive permissions or role abuse; it is the lack of detection capability. Loss of governance refers to weak policies, mismanaged accounts, and lack of control over cloud resources, which may contribute indirectly but is not the immediate failure described. Side-channel attacks are specialized and do not match the evidence of missed alerts and absent operational telemetry.

CEH guidance emphasizes implementing centralized logging, continuous monitoring, alerting, and anomaly detection as core controls. For serverless, this includes capturing detailed function execution logs, tracing, identity and access events, and integrating them into a SIEM/SOAR workflow. Effective monitoring enables rapid detection of abnormal invocation patterns, suspicious API calls, unusual data access, and persistence attempts—reducing dwell time and preventing small compromises from becoming major outages.

Creating scheduled tasks is the most likely persistence technique because it can be configured to execute automatically at system startup or on reboot without requiring a user to log in or manually launch anything. In CEH-aligned post-exploitation and persistence concepts, attackers commonly use operating system native mechanisms that blend into normal administrative activity. A scheduled task fits this goal well because it can be named to look legitimate, set to run under a specific account, and triggered by events such as system boot, user logon, or a timed schedule. The scenario explicitly states the payload launches on every reboot without user interaction, which aligns with a boot-triggered scheduled task.

Injecting into the startup folder usually triggers execution when a user logs on, not strictly on system reboot, and it depends on an interactive user session. That contradicts the requirement of no user interaction. Modifying file attributes, such as setting hidden or system attributes, improves stealth and makes a file less noticeable, but it does not create an automatic execution mechanism by itself. Installing a keylogger is a capability for capturing keystrokes, not a persistence method, and it does not inherently guarantee execution after reboot unless paired with an auto-start mechanism.

Therefore, the action that directly ensures the binary runs after each reboot in a controlled and reliable way is creating scheduled tasks, which is a classic persistence method emphasized in ethical hacking workflows for demonstrating real-world attacker behavior and improving defensive detection and hardening.

The most likely missing BYOD guideline is reviewing application permissions before installation. In CEH mobile security guidance, a major risk in BYOD environments is the introduction of untrusted or malicious applications that abuse the mobile permission model to access corporate data, intercept authentication tokens, read storage, capture keystrokes via accessibility services, or communicate externally. When users install apps without scrutinizing requested permissions, they may unknowingly grant excessive privileges that enable data theft or access-control bypass, especially if the app leverages OS weaknesses or misconfigurations.

The scenario states Javier “installs a malicious app that bypasses access controls” and gains access to sensitive financial data because devices “lack a specific security measure to restrict app access.” This maps directly to a policy gap around controlling and validating apps and their permission requests. CEH emphasizes that organizations should reduce attack surface by limiting app privileges, avoiding sideloading from untrusted sources, and enforcing least privilege through user awareness and enterprise controls such as MDM application allowlisting and permission governance. Reviewing permissions is the user-facing guideline that prevents employees from granting dangerous access (for example, SMS, storage, contacts, accessibility, device admin, or VPN configuration permissions) that can enable credential theft or unauthorized data access.

Option B adds an extra layer for local access but does not stop a malicious app with granted permissions from accessing corporate data. Option C helps if a device is physically stolen, but it does not prevent malicious apps already running under the user context. Option D protects data at rest, yet a malicious app can still exfiltrate data once it is decrypted and accessed by the user session. Therefore, permission review is the most directly relevant missing BYOD guideline.

The correct answer is A, Worm-like propagation. In CEH malware-threat concepts, a worm is malware that self-replicates and uses a computer network to send copies of itself to other systems without requiring human action. CEH-related material describes worms as self-replicating malware that use networks to spread to other systems and commonly consume resources while duplicating themselves. The scenario specifically says attackers exploit SMBv1 to spread malware across hosts, which matches worm behavior because the malware moves laterally from one vulnerable machine to another through a network service. This behavior is commonly associated with attacks such as WannaCry, where an SMBv1 vulnerability was weaponized so the malware could scan for vulnerable systems and spread via SMB after infection. Phishing involves tricking users through messages or websites, credential stuffing uses reused username/password pairs, and DoS focuses on denying availability. Since the key behavior is automated spreading across hosts through SMBv1, the best answer is worm-like propagation.

WPA2-PSK networks authenticate users using a pre-shared key derived from a passphrase. After capturing the 4-way handshake, CEH teaches that the standard and most effective method to recover the key is to perform an offline dictionary attack, where wordlist entries are hashed and compared against the captured handshake values. Offline cracking avoids detection and is significantly faster than brute-force attempts.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 identifies XML Signature Wrapping (XSW) attacks, also known simply as Wrapping attacks, as a major threat against SOAP-based web services. These attacks exploit weak XML parsing and insufficient validation of signed message components. SOAP messages often include digitally signed sections, but if the server validates the signature without confirming the correct position or structure of the signed elements, attackers can duplicate, move, or wrap signed content inside a modified XML envelope. This allows an attacker to inject malicious payloads while still presenting a valid signature. CEH details how this can lead to unauthorized execution, privilege escalation, or bypassing authentication controls in SOAP APIs. Cloud snooping, cryptanalysis, and IMDS abuse do not involve message duplication or signature misplacement. The scenario precisely matches CEH’s definition of a Wrapping Attack in SOAP/XML security.

This scenario clearly indicates a SYN Flood attack, a classic Denial-of-Service technique discussed in CEH v13 Network and Perimeter Hacking. In a normal TCP three-way handshake, a client sends a SYN, the server responds with SYN-ACK, and the client completes the connection with an ACK. In a SYN flood, attackers send a massive number of SYN packets but never complete the handshake.

As described in CEH v13, the server allocates memory and resources for each half-open connection, placing them in the SYN_RECEIVED state. When these connections are not finalized, the server’s connection table becomes saturated, preventing legitimate users from establishing new sessions.

Other options are incorrect:

Smurf attacks rely on ICMP amplification, not TCP handshakes.

Ping of Death uses malformed ICMP packets.

UDP Floods overwhelm ports using UDP, not TCP session states.

CEH v13 emphasizes SYN floods as one of the most common Layer 4 DoS attacks due to their simplicity and effectiveness.

The correct answer is B because credential stuffing uses previously leaked or stolen username-password pairs against other services, relying on the common user behavior of reusing passwords across multiple platforms. In CEH authentication and password-attack concepts, weak password practices and compromised credentials are major causes of unauthorized access. The CEH-aligned material notes that weak password policies allow attackers to bypass weak credentials, and credentials exposed through insecure channels can lead to compromise. Credential stuffing differs from brute force because the attacker is not trying every possible password combination. It also differs from a dictionary attack because the attacker is not testing dictionary words; instead, they are testing known leaked credentials. Replay attacks reuse captured authentication data or session tokens, but the question specifically mentions weak password reuse across services using leaked credentials. Therefore, the best and most precise answer is credential stuffing.

The correct answer is D. Set Passwords for Apps to Restrict Others from Accessing Them.

The device already has an operating system passcode, but the weakness appears after the phone is unlocked. The financial application opens directly to sensitive dashboards without requiring any additional application-level authentication. The most direct mitigation is to require a separate password, PIN, biometric prompt, or reauthentication control for sensitive corporate applications.

CEH mobile/BYOD material explains that BYOD introduces security and control challenges because personally owned smartphones and tablets access organizational resources. Mobile Device Management solutions commonly enforce policies such as passcodes, remote locking, remote wipe, root/jailbreak detection, application deployment, monitoring, and policy enforcement .

Option A. Use Encryption Mechanism to Store Data is important for protecting data at rest, especially if the device is lost, but it does not stop access after the phone is already unlocked.

Option B. Set a Strong Passcode on the Device and Change It Relatively Often is already partially implemented because the OS requires a passcode. The issue is lack of app-level verification.

Option C. Maintain a Clear Separation between Business and Personal Data is useful for BYOD governance, but it does not directly prevent an unlocked device from opening sensitive dashboards.

Option D. Set Passwords for Apps to Restrict Others from Accessing Them is correct because it directly mitigates unauthorized access to corporate apps after device unlock.

Therefore, the best answer is D. Set Passwords for Apps to Restrict Others from Accessing Them.

The correct answer is C. Confidentiality. In information security, the CIA triad consists of Confidentiality, Integrity, and Availability. Confidentiality specifically addresses the secrecy and privacy of information by ensuring that sensitive data is accessed, viewed, or disclosed only by authorized individuals, systems, or processes. CEH-aligned material explains that confidentiality means information is secret and should not be disclosed to unintended people or entities; if confidentiality is compromised, it can cause unauthorized access and privacy loss. Another CEH exam guide source states that confidentiality addresses the secrecy and privacy of information and prevents disclosure to unauthorized individuals or systems. Availability is incorrect because it ensures systems and data are accessible when needed. Integrity is incorrect because it protects data from unauthorized modification. Authentication is also incorrect because it verifies identity, but it does not itself define secrecy or privacy. Therefore, the best CEH answer is Confidentiality.

The correct answer is C. Insecure Data Storage because the vulnerability described is the storage of sensitive information locally on the mobile device in a manner that is not encrypted and is accessible by simply browsing the file system. In mobile application security, this is a classic risk category: when an app stores confidential data (case notes, client records, tokens, documents, cached responses, databases, logs, or exported files) in clear text or in insecure locations, an attacker who gains device access—or uses backup extraction, file explorers, rooted/jailbroken access, or malware with storage permissions—may retrieve that data without needing to authenticate to the application.

The scenario makes the weakness unmistakable: Daniel can use a “standard explorer tool” to open sensitive records “without any authentication.” This indicates the app is failing to apply appropriate protections such as encryption at rest, secure key handling, proper file permissions, and secure storage mechanisms. In secure mobile design, sensitive records should be encrypted using platform-supported protections (e.g., using OS keystores/keychains for keys, encrypting databases/files, and minimizing local retention). Additionally, apps should avoid storing highly sensitive regulated data unless essential, and should implement secure session controls and data lifecycle management (cache control, expiration, remote wipe support in enterprise settings).

Why the other options are not the best fit: Insecure communication concerns data exposure while transmitted over networks (e.g., lack of TLS, weak TLS, MITM susceptibility), whereas the issue here is purely local storage. Improper credential usage relates to mishandling passwords, tokens, or authentication secrets (hard-coded credentials, weak storage of credentials), but the prompt focuses on stored records themselves. Inadequate privacy controls is broader and typically involves over-collection, improper disclosure, or weak user privacy settings, not direct clear-text storage exposure.

Therefore, the most clearly present OWASP Top 10 Mobile Risk is Insecure Data Storage.

DHCP starvation is a network-level attack in which an attacker sends a massive number of DHCPDISCOVER requests, each appearing to originate from a different MAC address. CEH courseware explains that DHCP servers assign IP leases based on unique MAC addresses, and when the lease pool is exhausted, legitimate clients are unable to obtain valid IP configurations. This disrupts network connectivity and can serve as a precursor to deploying a rogue DHCP server, enabling further attacks such as traffic redirection or credential interception. DHCP starvation is different from ARP spoofing, which manipulates MAC–IP mappings, or DNS poisoning, which corrupts domain resolution. Rogue DHCP relay attacks involve forwarding DHCP packets to unauthorized servers, not depleting leases. The scenario described—rapid MAC address spoofing and exhaustion of DHCP leases—matches the precise definition of DHCP starvation as documented in CEH materials.

The correct answer is A. DNS hijacking. In this attack, the user enters a legitimate domain name, but DNS resolution is manipulated so the browser is redirected to a fake or malicious website. The fake site may look like the real banking site but uses a different URL or lacks HTTPS security, prompting the victim to enter credentials again. ARP cache poisoning usually occurs inside a local network to redirect traffic through an attacker, DHCP spoofing gives victims malicious network settings, and DoS attacks make services unavailable. Here, the key clue is redirection from a legitimate URL to a suspicious banking page, which matches DNS hijacking.

The correct answer is B. Predictive analysis because the client’s primary objective is to anticipate future attack patterns before they occur, and the described AI-enabled platform is explicitly being used to forecast potential attack vectors based on historical breaches and anomaly data. In CEH-aligned coverage of modern security capabilities, AI-driven approaches add value by learning from large datasets (logs, alerts, incidents, threat intelligence, and observed attacker behaviors) to identify trends, detect weak signals, and predict the most likely next steps an adversary may take. This directly supports proactive defense planning rather than purely reactive response.

In this scenario, the platform ingests “previous breaches and anomaly data” and produces forward-looking insights. That is the essence of predictive analysis: applying machine learning/analytics to estimate where attacks may emerge (for example, which assets are most at risk, which tactics are trending, what misconfigurations correlate with compromise, or which sequences of events often precede an intrusion). This helps defenders prioritize controls, patching, monitoring, and hardening to disrupt the projected attack paths ahead of time. It also aligns with the retail client’s desire to know whether their defenses can “anticipate” attacks, not merely document them after the fact.

Why the other options are less correct: Scalability is a benefit of AI (automating large-scale analysis), but it does not specifically address forecasting future attack vectors. Enhanced reporting improves how findings are communicated, but it is not the key capability described. Simulation and testing refers to running scenarios or automated testing in environments to measure resilience; that can be AI-assisted, but the prompt focuses on analyzing historical and anomaly data to predict likely attacks, which maps most directly to predictive analysis.

Therefore, the most critical benefit of AI-driven ethical hacking in this case is predictive analysis.

CEH v13 emphasizes that after identifying vulnerabilities during scanning, testers must validate findings to determine real impact and eliminate false positives. This requires safe, controlled exploitation using approved tools such as Metasploit, Nikto, or custom proof-of-concept scripts. Misconfigurations labeled as medium-risk may still provide privilege escalation, data exposure, or footholds for further attacks. CEH methodology reinforces that exploitation should always follow the scope and rules of engagement and should avoid disruptive activities like brute-forcing or DoS attacks unless explicitly authorized. Ignoring the vulnerabilities is never acceptable in a professional assessment. Verifying the issue helps the organization prioritize remediation using evidence-based results. Therefore, the correct next step is to verify the vulnerability through controlled exploitation.

CEH v13 identifies misconfigured cloud security groups as the leading cause of cloud data exposure. Open ports, public storage buckets, and overly permissive firewall rules frequently expose sensitive data.

Brute force and DoS do not directly expose stored data, and side-channel attacks are rare and advanced.

CEH emphasizes that application-layer DoS attacks are often the most difficult to detect and mitigate because they can mimic legitimate user behavior while exhausting backend resources. A distributed SQL injection–driven DoS (Option B) can be especially challenging: attackers send requests that appear valid at the HTTP level, but the injected or crafted parameters force the application/database to execute expensive queries (heavy joins, sleep/delay functions, or costly operations). When distributed across many sources, the traffic can look like normal customer usage—successful TCP handshakes, valid HTTP requests, and realistic user-agent patterns—while still causing database connection pool exhaustion, CPU spikes, lock contention, and degraded response times.

Option A (Smurf) and Option D (UDP/DNS flooding) are more volumetric/network-layer patterns and are typically mitigated with upstream DDoS scrubbing, rate limiting, and filtering, and are more readily detectable via traffic anomalies. Option C (zero-day RCE) is severe, but it is not primarily a “DoS technique” in CEH classification; it’s an exploitation scenario that may lead to service outage, but the detection/mitigation path centers on exploit prevention, EDR, patching, and containment rather than DoS controls. In CEH terms, Option B aligns best with a sophisticated, scenario-like DoS that blends into normal app activity.

CEH mitigation approaches for application-layer DoS include WAF rules, input validation/parameterization (preventing SQLi), query cost controls, rate limiting by behavior, caching, database hardening, and anomaly detection at the application and database tiers.

The correct answer is C. Initial Sequence Number (ISN).

The question specifically states that the analyst records the sequence numbers returned in SYN/ACK responses and analyzes whether those values are predictable or incremental. That means the analyst is examining the target’s Initial Sequence Number generation behavior.

CEH session hijacking material explains that during the TCP three-way handshake, the server responds with a SYN/ACK that includes an ISN, or Initial Sequence Number . It also states that sequence numbers are important for reliable communication and can be crucial in hijacking because an attacker must successfully guess or predict sequence numbers . Another CEH-aligned reference explains that the ISN is exchanged during the handshake and that sequence-number behavior can reveal implementation characteristics .

Option A. TCP Timestamp Analysis is incorrect because TCP timestamp analysis examines timestamp option values, clock behavior, or uptime estimation, not SYN/ACK sequence-number generation.

Option B. TCP Window Size is incorrect because TCP window size refers to how much data can be sent before acknowledgment is required. It is not the sequence-number attribute described in the question.

Option D. Time to Live (TTL) is incorrect because TTL is an IP header field used to limit packet lifetime and can help infer OS or hop distance, but it is unrelated to SYN/ACK sequence-number predictability.

Therefore, the best answer is C. Initial Sequence Number (ISN).

CEH explains that MAC flooding overwhelms a switch’s CAM table, causing it to fail open. When the table fills, the switch broadcasts frames out all ports, behaving like a hub. This exposes unicast traffic to attackers operating in promiscuous mode.

The CEH Cloud Computing module identifies cloud APIs as one of the most critical attack surfaces in public cloud environments. APIs control provisioning, configuration, authentication, and management of cloud resources.

A vulnerability in a cloud API can allow attackers to:

Bypass authentication

Escalate privileges

Access or modify cloud resources

Create or delete services

Option B is therefore correct.

Option A relates to availability, not API flaws.

Option C is managed by the provider and unrelated to APIs.

Option D would require key compromise, not just API weakness.

CEH strongly emphasizes API security as a top cloud risk.

The correct answer is D, Hardware, Software, and Sniffing. In CEH system hacking and password attack concepts, password retrieval during an authorized assessment can involve multiple categories, not just one method. Keylogging may be performed through hardware devices or software applications that capture user keystrokes, and CEH material specifically identifies keylogging as using hardware or software to capture what a user types. CEH material also describes keyloggers as either hardware or software and explains that they monitor keyboard activity and related user actions. Sniffing is another password retrieval method because packets captured on a LAN may expose sensitive information and credentials such as Telnet, FTP, SMTP, or rlogin passwords. Therefore, software-only is incomplete, hardware-only is too narrow, and hardware/software keyloggers exclude network sniffing. The broadest and most accurate answer is hardware, software, and sniffing.

To determine which specific system on the sender’s side processed the message, the most relevant email-header detail is the sender’s mail server, typically revealed in the chain of Received: headers. Each mail transfer agent (MTA) that handles the message adds a Received line indicating the system that passed the message along and the system that received it. By reviewing these headers from bottom to top (earliest hop upward), analysts can identify the originating outbound infrastructure used by the sender—such as the initial submission server, outbound relay, or gateway that first accepted the email for delivery.

The scenario’s goal is to “map the sender’s outbound email infrastructure” and identify “which specific system on the sender’s side processed the message.” That maps more directly to identifying the mail server hostnames involved (the MTAs), because those are the processing systems that relayed the email. While an IP address can help locate a host, the question emphasizes the “specific system” responsible for processing, which is typically expressed as the mail server identity (hostname/domain) shown in header traces. In practice, investigators correlate the sender mail server information with IPs, TLS details, and authentication results, but the primary header clue for the processing system is the server identified in Received lines.

Why the other options are less suitable:

Date and time (A) helps with timeline analysis, not identification of the processing system.

Sender’s IP address (C) can indicate a source network, but the message may traverse NAT, relays, or cloud email services; it doesn’t always name the processing system.

Authentication system used (D) (e.g., SPF/DKIM/DMARC results) indicates validation outcomes, not which server processed the message.

Therefore, the correct choice is B. Sender’s mail server.

Man-in-the-Cloud (MITC) attacks target cloud synchronization services such as Dropbox, Google Drive, and OneDrive by manipulating authentication tokens instead of user passwords. CEH courseware explains that cloud storage clients rely heavily on sync tokens stored locally, which authorize access without user interaction. If an attacker replaces or injects a malicious token, they can hijack the victim’s cloud account or redirect synced data to attacker-controlled locations. In this scenario, the EC2 instance continues to operate normally, but its Dropbox client silently synchronizes data to an external account using the attacker’s token. This bypasses traditional defenses such as perimeter firewalls, credential monitoring, or user behavior analytics, because the synchronization process appears legitimate and authenticated. MITC attacks are uniquely stealthy, as they require no further compromise once the sync token is stolen or replaced. Other choices, such as Cloud Snooper or cryptojacking, do not match the described behavior. Therefore, this attack clearly aligns with a Man-in-the-Cloud attack.

The attack described is website defacement, which occurs when an attacker gains the ability to modify the content of a website—often the homepage—to display unauthorized messages, propaganda, or vandalism. The scenario explicitly says Mia “alter[s] visible content on the homepage, replacing it with unauthorized messages,” and emphasizes the reputational harm even without data theft. That reputational impact is a hallmark of defacement: it undermines customer trust, signals weak security, and can create regulatory/brand consequences even if no confidential information is exfiltrated.

The stated entry point—“exploiting an unpatched vulnerability in the web server”—is also consistent with defacement. Attackers frequently leverage web server or web application weaknesses (misconfigurations, known CVEs, weak credentials, vulnerable plugins, or insecure file permissions) to gain write access to web content or templates. Once write access is achieved, the attacker can replace HTML pages, alter templates, inject malicious scripts, or modify assets so that visitors see the attacker’s message.

Why the other options are less appropriate:

DNS hijacking (A) redirects users by changing DNS resolution so that the domain points to an attacker-controlled server. That can lead to a fake site, but it’s not the same as modifying the real server’s homepage content.

Frontjacking (B) typically involves UI deception—overlaying or framing content to trick users—rather than server-side modification of the homepage.

File upload exploits (C) are a method that can be used to gain code execution or place malicious files on a server, but the question asks for the type of web server attack being demonstrated. The visible outcome described—unauthorized homepage changes—is best categorized as defacement.

Therefore, Mia is most likely demonstrating D. Website Defacement.

CEH v13 explains that NTP (UDP port 123) can leak sensitive network information if misconfigured. When an NTP daemon allows unrestricted external queries (e.g., monlist or ntpq commands), attackers can enumerate internal IP addresses and hostnames.

This exposure is a known reconnaissance weakness and has been exploited in both information disclosure and amplification attacks. CEH v13 strongly recommends restricting NTP query access using access control lists.

DNS poisoning and honeypots do not explain legitimate NTP enumeration responses. Therefore, option D is correct.

Sherlock is the correct choice because it is specifically designed for OSINT-style username enumeration across a very large number of websites. In CEH-aligned reconnaissance, one common task is “alias correlation,” where the tester checks whether the same username exists across multiple social networks, forums, and content platforms. Sherlock automates this by querying many supported sites and reporting where an account with a given username appears to exist. This directly matches the question’s requirement: “cross-platform username correlation by scanning hundreds of social networking sites.”

The prompt also specifies what the tool does not do: it “does not natively support geolocation tracking or visualizing identity relationships.” That limitation aligns with Sherlock’s role as a focused username discovery tool rather than an analysis platform. By comparison, Creepy is associated with geolocation-focused OSINT, particularly collecting and correlating location metadata from social media posts and images, which is the opposite of the stated limitation. Maltego is well known for relationship analysis and link visualization, allowing investigators to build graphs of people, emails, domains, and social entities—again contradicting the “does not visualize identity relationships” constraint. Social Searcher is more oriented toward searching and monitoring public social media content and mentions, not primarily high-volume username existence checking across hundreds of sites in the same manner.

In CEH reconnaissance workflows, Sherlock fits early-stage enumeration to expand a target’s footprint, after which analysts may pivot into tools like Maltego for link analysis or geolocation tools when location exposure is part of the assessment.

CEH methodology stresses prioritization based on risk, exploitability, and business impact. High-severity vulnerabilities—especially those related to outdated or unsupported server software—are frequently associated with known, publicly documented exploits. The proper next step after identifying such vulnerabilities is to confirm exploitability safely, typically by researching available exploit code, validating version-specific weaknesses, and determining whether the vulnerability can be successfully leveraged under the defined scope of engagement. CEH highlights that exploitation attempts must be evidence-driven, not arbitrary, and focusing on high-risk vulnerabilities allows testers to demonstrate meaningful security impacts. Brute-forcing (Option A) is unnecessary and high-noise. Ignoring or deprioritizing the high-risk finding (Options B and C) contradicts CEH risk-based assessment principles. Therefore, verifying exploitability of the high-risk vulnerability is the correct step.

White-hat hackers perform security assessments with authorization. CEH defines ethical hacking as legal, structured testing of network defenses with the goal of improving security rather than causing harm.

The strongest indicator in this scenario is that multiple compromised hosts are “behaving like zombies,” communicating outbound to a single unfamiliar external IP over high ports, and “silently accept remote instructions” while performing “coordinated background tasks.” In CEH-aligned malware terminology, these are hallmark characteristics of a botnet: a collection of infected endpoints (bots/zombies) under centralized or semi-centralized command-and-control. Worm-like propagation explains how the compromise rapidly expanded across the internal network—using shared folders and stolen credentials for lateral spread—while the “backdoor component” provides persistent remote control functionality once a system is infected. The observed coordination across many hosts strongly suggests the attacker’s goal is not merely individual surveillance of a single machine, but scalable remote control of many machines at once.

Option A, data exfiltration, is plausible in many intrusions, but the question emphasizes orchestration and remote tasking across many endpoints rather than targeted theft from specific repositories. Option B is inconsistent because there is no mention of encryption, ransom notes, or disruption-focused behavior. Option D, a RAT, typically describes remote control of a host, but the scenario’s defining feature is the creation of many “zombies” with coordinated behavior—this aligns more precisely with building a botnet for command and control, which can later be used for data theft, DDoS, spam, or further intrusion operations.

CEH defensive guidance includes monitoring egress traffic anomalies, detecting C2 patterns, segmenting networks to limit worm spread, disabling unnecessary shares, enforcing strong credential hygiene, and using EDR to identify backdoors and lateral movement behaviors.