CEH v13 Domain 3.3 Practice Test 004

This practice test covers Domain 3 (System Hacking Phases and Attack Techniques) Subdomain 3 (Malware Threats) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 3.3 Practice Test 004

10 questions • 8 single-answer, 2 multi-select

Question 1

An enterprise SOC team is investigating a malware incident where the malicious code spreads across the network autonomously by exploiting vulnerabilities in exposed network services, requires no user interaction to propagate, and creates full copies of itself on remote systems through self-replication over standard ports. The malware first appeared on an exposed SCADA system and compromised dozens of additional servers within minutes through automated self-propagation. Which type of malware best describes this behavior?

A. Trojan B. Ransomware C. Network worm D. Rootkit

Question 2

Elijah is analyzing a suspicious binary submitted through the help desk and places it inside an isolated virtual machine with full network monitoring enabled, then observes its behavior live including registry key modifications, new file system entries, outbound connection attempts, and spawned child processes. This technique avoids reverse engineering the binary's code and instead focuses entirely on what the sample does when it executes in a controlled environment. Which malware analysis approach is Elijah using?

A. Static analysis B. Dynamic analysis C. Code review D. Fuzzing

Question 3

A nation-state threat actor compromises a global telecommunications firm through a carefully crafted spear-phishing campaign targeting a specific executive, establishes persistence using a custom implant that communicates over encrypted HTTPS to avoid detection, and maintains covert access for eleven months while exfiltrating intellectual property in small, low-bandwidth increments. The attackers use living-off-the-land binaries to blend their activity with normal administrative traffic and rotate their infrastructure regularly to evade threat intelligence feeds. Which threat category best describes this type of attack?

A. Script kiddie attack B. Opportunistic malware campaign C. Advanced Persistent Threat D. DDoS campaign

Question 4

Select all that apply

The blue team at a telecommunications company is hunting for hosts potentially infected with a Remote Access Trojan and needs to identify which two behavioral artifacts are most indicative of an active RAT infection maintaining a persistent command-and-control channel. They plan to search endpoint logs, network flows, and process trees for these indicators before running containment procedures. Which two host or network behaviors should they prioritize investigating? (Choose two)

A. Unexpected outbound connections on non-standard ports B. Security tools disabled or tampered with C. High CPU utilization from legitimate compilers D. Increased DNS traffic on port 53 to known CDN servers E. Certificate authority enrollment errors in event logs

Question 5

Clark is analyzing a malware sample and discovers it does not write any executable code or payload files to disk but instead injects malicious shellcode directly into the memory of a running legitimate system process, using built-in Windows administration tools such as PowerShell, WMI, and the Windows Management Instrumentation Command-line for both execution and persistence. Traditional signature-based antivirus solutions consistently fail to detect this threat because there are no suspicious files written to the file system for scanning engines to inspect. Which type of malware is Clark analyzing?

A. Rootkit B. Keylogger C. Fileless malware D. Ransomware

Question 6

Jane is reviewing endpoint logs from a workstation that shows a trusted-looking software update utility initiating an outbound connection to an external IP address and downloading an additional payload shortly after installation by the end user. Further investigation reveals the utility performs its advertised function correctly and appears completely legitimate to the user, but simultaneously executes a secondary hidden function in the background that opens a persistent backdoor to the attacker without the user's knowledge or consent. Which malware type best describes this threat?

A. Virus B. Worm C. Trojan D. Spyware

Question 7

Elijah is conducting malware analysis on a suspicious executable submitted by a SOC analyst and opens it in IDA Pro to examine the binary without executing it, analyzing imported library functions, suspicious strings, cryptographic constants, and control flow graphs to understand the malware's intended capabilities and identify its malicious logic. This methodology allows him to analyze the sample even when the malware is designed to detect sandbox environments and alter its behavior when it suspects it is being monitored. Which analysis technique is Elijah using?

A. Dynamic analysis B. Behavioral analysis C. Static analysis D. Sandbox emulation

Question 8

An attacker crafts a macro-embedded Microsoft Word document and delivers it to a target executive via a spear-phishing email with a compelling social engineering lure. When the executive opens the document and clicks the prompt to enable content, the macro executes a PowerShell command that reaches out to a remote server, downloads a second-stage payload, and injects it into a running system process to establish a foothold. Which stage of the Cyber Kill Chain does the macro execution and payload download represent?

A. Reconnaissance B. Weaponization C. Exploitation D. Delivery

Question 9

A security analyst monitoring a compromised Linux server notices it is generating a large volume of outbound HTTPS POST requests at precisely timed intervals to a recently registered domain that resolves to multiple rotating IP addresses across different autonomous systems. The analyst determines that the infected host is receiving operator instructions and sending back stolen data through these connections, with all traffic encrypted using valid TLS certificates to prevent content inspection. Which malware functionality does this behavior primarily describe?

A. Keylogging B. Rootkit persistence C. Command-and-control communication D. Lateral movement

Question 10

Select all that apply

The incident response team at a hospital network discovers their environment was compromised through a supply chain attack in which malware was silently embedded into a legitimate vendor software update package and automatically distributed to thousands of endpoints during the routine patch cycle. The team must identify which two malware countermeasures, had they been deployed, would have been most effective at either preventing the initial installation or limiting the blast radius of this type of attack. Which two countermeasures should the team prioritize recommending? (Choose two)

A. Application whitelisting B. Software supply chain integrity verification C. Password complexity requirements D. Physical access badge controls E. DNS response rate limiting

Related Posts

Leave a Comment Cancel Reply