CEH v13 identifies AI-powered malware as an emerging advanced threat that adapts its execution based on environmental cues and user behavior. Unlike traditional polymorphic malware, AI-driven malware can dynamically decide when and how to execute actions to avoid detection.

The described traits—behavioral adaptation, idle-time exfiltration, encrypted communication—are hallmarks of AI-assisted malware.

Polymorphic viruses change signatures but do not adapt behavior intelligently. Rootkits focus on hiding presence. Worms propagate aggressively.

Therefore, Option A is correct.

The correct answer is Footprinting through Social Networking Sites. CEH reconnaissance coverage explains that public social platforms such as LinkedIn, Facebook, Twitter, and similar services can reveal personal, professional, and organizational information that is extremely useful during footprinting. In this question, the tester is not interacting directly with employees to manipulate them, so it is not primarily social engineering. Instead, the tester passively mines employee profiles, role histories, technical skills, discussion patterns, project language, and relationship clues to infer technologies, internal structure, and naming conventions. That is exactly the kind of intelligence CEH associates with social-network-based footprinting. Search engines and internet research services can support recon, but the scenario specifically centers on employee-generated data from public networking and discussion platforms. CEH materials note that social platforms often reveal far more than users realize, including business functions, technologies in use, recent initiatives, physical locations, interests, and organizational hierarchy. Such details can later support targeted phishing, impersonation, or infrastructure profiling. Because the intelligence is gathered from public social and professional networking ecosystems, social networking site footprinting is the most precise methodological classification.

The behavior described most closely matches Agent Smith, an Android malware family known for replacing or hijacking legitimate applications and monetizing that access through ad fraud and data abuse. The strongest clues are the installation from a third-party marketplace, the silent replacement of already installed apps, and the use of those altered applications to push excessive advertisements while collecting information. In CEH mobile platform discussions, third-party app ecosystems are repeatedly identified as high-risk distribution paths for malicious or trojanized software because the apps may avoid the stricter vetting associated with official marketplaces. Pegasus is generally associated with advanced spyware capabilities and covert surveillance, not ad-fraud-driven replacement of popular apps. GoldPickaxe is tied to more targeted mobile credential and identity theft campaigns, while Mamo is not the fitting malware profile here. This question is testing recognition of a well-known Android malware pattern: malicious code embedded in an apparently useful application that later abuses the trust and visibility of legitimate apps already on the phone. CEH mobile security principles stress that unofficial app sources significantly increase the risk of this kind of compromise.

According to the CEH IDS/IPS module, false positives occur when legitimate activity is incorrectly flagged as malicious. The most common cause is overly sensitive IDS rules or thresholds.

Option D correctly identifies this issue.

Option A describes the symptom, not the root cause.

Option B is unrelated to IDS alert behavior.

Option C can cause missed detections, not excessive alerts.

CEH recommends proper tuning and baseline profiling.

The core weakness described is that the IoT devices “lack any mechanism to verify the integrity or authenticity of software prior to execution,” which directly maps to the need for code signing. In CEH-aligned IoT security guidance, code signing ensures that firmware and software images are cryptographically signed by a trusted authority and verified on the device before they are installed or executed. This verification confirms two critical properties: integrity, meaning the code has not been altered or tampered with, and authenticity, meaning the code genuinely originated from an authorized publisher. If an attacker attempts to introduce modified binaries or malicious instructions, signature verification fails and the device can reject execution, preventing unauthorized code from running.

While secure boot is closely related, it is specifically a boot-time chain-of-trust mechanism that verifies the bootloader and early-stage firmware during startup. The question, however, emphasizes a general lack of verification “prior to execution,” which is broader than boot only and is most directly addressed by code signing as a secure development and release practice. Secure firmware or software updates is also important, but secure updates typically rely on code signing as the fundamental control that makes updates trustworthy. Secure communication protocols protect data in transit, but they do not stop tampered code already on the device from executing.

Therefore, the most appropriate secure development practice to ensure only authorized, validated code runs on the devices is to implement code signing with mandatory signature verification.

In CEH’s Cloud Computing module, one of the most common real-world causes of cloud data exposure is misconfiguration, especially overly permissive network access controls. Cloud platforms commonly use constructs like security groups / firewall rules / network ACLs to define inbound and outbound access. CEH highlights that exposing sensitive services (databases, storage endpoints, admin panels) to the public internet—whether by “0.0.0.0/0” rules, overly broad ports, or unintended administrative access—frequently results in unauthorized access and data leakage even without sophisticated exploit chains.

Option D is therefore the most likely, because misconfigured security groups can directly expose customer data stores or management interfaces, enabling data theft through normal connectivity rather than exploiting a rare hypervisor flaw.

Option A (hypervisor side-channel attack) is advanced and less common; it typically requires high attacker capability and conditions not implied here. Option B (DoS) impacts availability, not confidentiality, so it doesn’t best explain data exposure. Option C (brute force passwords) is possible, but the question emphasizes an “unknown vulnerability” in the cloud environment—CEH teaching often frames “unknown vulnerability” in cloud incidents as misconfiguration or uncontrolled exposure rather than authentication guessing alone.

CEH countermeasures include least-privilege security group rules, segmentation, continuous configuration monitoring, cloud security posture management, and auditing publicly exposed resources.

The correct answer is Clone Phishing. CEH social engineering material explains that clone phishing occurs when an attacker takes a legitimate message previously received by the victim, duplicates its appearance and content, and modifies a malicious element such as a link or attachment. That matches this scenario exactly: the attacker reused genuine branding, the original format, sender display style, and subject line, then changed the embedded hyperlink so users would reauthenticate on a fake portal. Consent phishing is a different cloud-focused technique involving malicious OAuth authorization requests. Search engine phishing relies on manipulating search results so victims voluntarily navigate to a fake site. Tabnabbing involves changing the content of an inactive browser tab to a phishing page. None of those fit as closely as clone phishing. CEH guidance stresses that clone phishing is highly convincing because the message is based on a real prior communication that the victim may remember and trust. Since the attacker preserved almost everything from a legitimate message and altered only the actionable malicious link, the scenario is a textbook example of Clone Phishing.

The described behavior strongly matches HTTP Response Splitting. This vulnerability occurs when an application includes unsanitized user input in HTTP response headers. By injecting carriage return and line feed characters (CRLF), an attacker can “split” the server’s response into multiple parts—causing additional headers to appear or injecting unintended body content. The scenario explicitly says Raj’s payloads cause “additional headers to appear” and “inject unintended content into the output,” which is the classic outcome of response splitting.

Why this matters: response splitting can enable attacks such as web cache poisoning, cookie manipulation, redirection, and cross-site scripting-like impacts through header/body injection. For example, if an attacker can inject a Set-Cookie header, they may set or overwrite cookies in the victim’s browser. If they can inject a Location header, they may force redirects. If they inject content into the body, they may deliver malicious scripts or alter page behavior—especially when combined with caching intermediaries. The vulnerability typically arises in features that reflect user input into headers such as Location, Set-Cookie, Content-Disposition, or custom headers.

The other options do not match the symptoms:

XML Poisoning (B) and XXE (C) relate to XML parsing and entity resolution; they do not directly cause added HTTP headers in responses.

SSRF (D) involves forcing the server to make outbound requests to internal/external resources; it may expose data but does not primarily manifest as injected response headers and altered response structure.

Therefore, Raj is most likely exploiting A. HTTP Response Splitting.

CEH’s SQL Injection coverage distinguishes between classic (error-based), union-based, boolean-based blind, and time-based blind SQL injection. Time-based blind SQL injection is used when the application does not return database errors or query results to the attacker (no visible output), but the attacker can infer execution behavior by measuring response delays.

A time-based payload intentionally triggers a database delay function (for example, SLEEP(), WAITFOR DELAY, pg_sleep() depending on DBMS). If the injection is successful, the page response time increases predictably, confirming that attacker-controlled SQL is being executed.

Option C is the correct time-based blind probe because it uses conditional logic (IF(1=1, SLEEP(5), 0)) to cause a measurable delay only when the injected condition evaluates true. CEH teaches that this technique is particularly effective against hardened applications that suppress errors and sanitize outputs, because timing becomes the side-channel for confirmation.

Option A and Option D are UNION-based payload patterns intended to extract data via returned result sets, which time-based blind scenarios typically do not provide. Option B is a classic authentication-bypass/boolean test; it can indicate injection but does not specifically validate time-based blind behavior when output is not observable.

CEH mitigation guidance includes parameterized queries, strict input validation, least-privilege DB accounts, WAF tuning, and centralized logging to detect anomalous query timing patterns.

Blowfish is the only option that matches all the technical characteristics described. In CEH cryptography concepts, symmetric algorithms are commonly distinguished by their structure (block cipher versus stream cipher), block size, and supported key lengths. The question states the algorithm encrypts data in 64-bit blocks and supports a variable key size ranging from 32 bits up to 448 bits, and it was introduced as a replacement for DES. Blowfish fits precisely: it is a symmetric block cipher with a 64-bit block size and a configurable key length from 32 to 448 bits, designed to be fast in software and positioned historically as an alternative to older ciphers such as DES.

The other choices do not align with these identifying properties. RC4 is a stream cipher and does not operate on fixed-size blocks, so it cannot match the 64-bit block requirement. AES is a block cipher but uses a 128-bit block size with fixed key sizes of 128, 192, or 256 bits, not 32 to 448 bits. Twofish, while related historically as a successor-era design, also uses a 128-bit block size and fixed key sizes up to 256 bits, so it does not match either.

From a CEH perspective, the mention of variable key sizes also hints at risk evaluation: shorter keys in any cipher can be brute-forced, so secure deployments require strong key length selection and proper key management. Additionally, Blowfish’s 64-bit block size can be a concern in large-volume encryption scenarios due to block collision risks, which is why modern systems often prefer 128-bit block ciphers for new designs.

This scenario demonstrates tailgating, which is gaining unauthorized physical access to a secure area by following an authorized person through an access-controlled entry point. Priya does not present credentials, swipe a badge, or otherwise authenticate; instead, she leverages normal human behavior and social assumptions during a busy shift change. Because employees assume she belongs there and do not challenge her, she successfully bypasses the physical access control.

Tailgating is common in workplaces with high traffic, open-plan culture, or weak enforcement of “no badge, no entry” rules. Attackers may exploit politeness, distraction, or the desire to hold doors open. It is especially effective during shift changes, deliveries, or when people are carrying items and appreciate someone holding the door. The security weakness being tested here is not the badge technology itself but the human factor: lack of challenge culture and inconsistent adherence to access policies.

Tailgating versus piggybacking: in many security references, piggybacking implies the authorized person knowingly allows the other to enter (e.g., holds the door intentionally after being asked). Tailgating typically implies the intruder enters without explicit permission, often by slipping in behind a group. In this scenario, no one confronts her and they “assume she belongs there,” indicating she is following them in without asking or being granted explicit permission—tailgating.

The other options are unrelated: shoulder surfing is visual observation of sensitive input; dumpster diving is retrieving information from trash. Therefore, the correct answer is C. Tailgating.

In CEH v13 Cloud Computing, multi-tenancy is a core cloud characteristic—but also a major risk if isolation controls are weak. When one tenant’s actions affect others, the issue is almost always insufficient isolation between tenants.

Multi-tenant isolation ensures that compute, storage, memory, and network resources are strictly separated. Without proper isolation, a malicious tenant can:

Exhaust shared resources

Access neighboring virtual machines

Damage the provider’s reputation

Encryption and authentication protect data access but do not stop cross-tenant impact. Logging helps detect incidents but does not prevent them.

CEH v13 emphasizes strong logical isolation mechanisms—such as hypervisor hardening and tenant segmentation—as essential cloud security controls. Therefore, Option C is the correct answer.

The scenario clearly describes baiting, a physical social engineering technique covered in CEH under human-based attacks. Baiting involves enticing a victim with something appealing or intriguing, such as free software, confidential documents, or valuable information, in order to trick them into compromising security. In this case, the USB drive is deliberately labeled “Confidential 2025 Budget Plans,” which is designed to trigger curiosity and urgency. The attacker relies on human psychology, specifically curiosity and perceived importance, to motivate the target to plug the device into a company system.

Unlike phishing, which typically occurs through email or electronic communication, baiting often involves physical media such as USB drives left in public areas like parking lots or lobbies. CEH materials highlight that attackers may preload such devices with malware that executes automatically when inserted, granting access to the internal network. Even though this experiment uses a harmless tracking script, the methodology mirrors real-world attacks where malicious payloads could establish backdoors, exfiltrate data, or deploy ransomware.

Hoaxes spread false warnings to create panic but do not necessarily require interaction with physical devices. Pretexting involves fabricating a scenario or identity to elicit information directly from a target through conversation or interaction. The use of a strategically placed USB labeled with enticing information fits the definition of baiting precisely. This test reinforces the importance of policies prohibiting unknown removable media usage and promoting employee awareness training.

The system described is a Network-Based Intrusion Detection System because it is positioned near the perimeter firewall and inspects traffic flowing across the network segment rather than activity on a single endpoint. In CEH-aligned coverage, a NIDS is deployed at strategic network points such as behind a firewall, on core switches, or on SPAN or TAP links to monitor inbound and outbound packets. Its purpose is to detect suspicious patterns, signatures, protocol anomalies, and indicators of scanning or exploitation attempts across multiple hosts and an entire subnet. The question explicitly says it “analyzes incoming and outgoing traffic” and looks for patterns “across the entire subnet,” which matches NIDS scope and placement.

A Host-Based IDS, by contrast, runs on individual servers or workstations and monitors local events such as system calls, logs, file integrity, registry changes, and local network connections for that specific host. That does not match the perimeter-positioned, subnet-wide traffic analysis described. Host-based firewalls also operate per endpoint, enforcing rules for that machine only, and do not provide centralized subnet-wide packet inspection from a perimeter vantage point. A network-based firewall primarily enforces allow or deny policy and may perform stateful filtering, but it is not primarily described as a detection tool analyzing suspicious patterns; IDS is the detection-focused control.

Therefore, Olivia is attempting to bypass a Network-Based Intrusion Detection System to demonstrate how malicious traffic might evade monitoring controls placed near the firewall and to help the security team strengthen detection coverage and alerting.

The correct choice is the SOA record because it uniquely provides authoritative administrative and operational metadata about a DNS zone. In CEH reconnaissance techniques, DNS enumeration is a high-value passive and semi-passive method to learn about an organization’s infrastructure without actively attacking hosts. The Start of Authority record defines core parameters of the zone and identifies the primary authoritative name server for that domain. Most importantly for this question, the SOA record contains fields that directly match “serial number and refresh interval,” which are classic SOA elements used for zone replication and synchronization behavior between primary and secondary DNS servers.

An SOA record typically includes the primary name server, the responsible party field often formatted like an email address for the zone administrator, the zone serial number, and timing values such as refresh, retry, expire, and minimum TTL. These details can reveal change frequency, operational practices, and sometimes administrative contact clues, all of which are relevant in reconnaissance and reporting.

The other record types do not meet the requirement. MX records identify mail exchangers for the domain but do not include serial or refresh parameters. NS records list authoritative name servers but lack administrative timing metadata. TXT records store arbitrary text such as SPF, DKIM, DMARC, or verification strings and are useful for email security posture analysis, but they do not provide the zone control fields the question references. Since the question explicitly calls out serial and refresh interval, the SOA record is the only option that fits completely.