CEH v13 Domain 3.3 Practice Test 003

By /

This practice test covers Domain 3 (System Hacking Phases and Attack Techniques) Subdomain 3 (Malware Threats) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 3.3 Practice Test 003
10 questions • 8 single-answer, 2 multi-select
Question 1
Elijah, a threat actor affiliated with a nation-state group, has deployed a sophisticated implant on a financial institution's internal network that communicates over HTTPS to a command-and-control server and periodically exfiltrates encrypted data. The implant persists across reboots by injecting itself into a trusted Windows service, remains dormant for weeks to avoid behavioral detection, and targets a single organization over many months. Which category of malware threat best describes this type of targeted, long-term, stealthy intrusion campaign?
    Question 2
    Jane, a malware analyst at a managed security service provider, is examining a suspicious process on a compromised endpoint that has no corresponding executable file on disk and runs entirely within legitimate Windows processes such as PowerShell and WMI. The process injects shellcode into legitimate memory space and uses Living-off-the-Land Binaries (LOLBins) to execute malicious actions, making traditional signature-based antivirus tools completely ineffective. Which malware classification best describes this attack technique?
      Question 3
      Kevin has written a self-replicating malicious program that exploits an SMB vulnerability to automatically propagate across an enterprise network without requiring any user interaction, consuming network bandwidth and corrupting files on each infected host. Unlike a virus, this program does not need to attach itself to an existing executable file to spread from system to system. Which malware type best describes Kevin's program?
        Question 4
        During a red team engagement against an enterprise target, a penetration tester discovers a program disguised as a legitimate software update utility that silently opens a backdoor allowing remote command execution and data exfiltration without the user's knowledge. The program does not replicate itself and relies entirely on social engineering to convince users to install it. Which malware category does this program represent?
          Question 5
          A SOC analyst at a healthcare organization receives an alert about suspicious outbound traffic from a workstation and captures a malware sample for investigation. She places the sample in an isolated virtual machine and executes it while monitoring all system calls, registry modifications, file system changes, and network connections in real time without examining the underlying source code. Which type of malware analysis technique is she performing?
            Question 6
            An organization's threat intelligence team identifies an intrusion campaign spanning several months that began with a targeted spear phishing email, progressed through lateral movement using stolen credentials, and culminated in slow encrypted data exfiltration specifically designed to evade detection thresholds. The attacker maintains persistent access by rotating command-and-control infrastructure and abusing legitimate administrative tools, making attribution extremely difficult for investigators. Which threat actor classification best describes this type of campaign?
              Question 7
              Select all that apply
              A malware analyst is tasked with examining a suspicious Windows executable without executing it in order to understand its structure, identify embedded strings, analyze import tables, and detect any packing or obfuscation techniques used by the malware author. This approach does not require running the sample in a sandbox and provides a foundation for understanding the malware's capabilities before any runtime testing is performed. Which TWO tools are commonly used for this type of static malware analysis? (Choose two)
                Question 8
                An OT security engineer at a manufacturing plant discovers that Siemens PLC ladder logic has been covertly modified, causing physical centrifuge equipment to behave erratically, while Windows HMI workstations connected to the OT network show signs of infection from a USB-delivered payload. The malware specifically targets industrial control systems and SCADA environments to cause physical sabotage rather than data theft, and forensic evidence attributes it to a nation-state actor. Which infamous real-world malware was specifically engineered to attack Siemens SCADA systems and PLCs in this manner?
                  Question 9
                  Sandra, a digital forensics examiner, is analyzing a compromised laptop belonging to a senior executive whose system has been transmitting encrypted data to an external IP address every six hours. Upon investigation, she discovers a hidden process masquerading as 'svchost.exe' that allows remote attackers to execute arbitrary commands, capture keystrokes, and take screenshots without the victim's knowledge. Which type of malware best describes this remote access capability?
                    Question 10
                    Select all that apply
                    A threat hunter at a financial institution is investigating suspicious activity on a trading workstation that has been communicating with an unrecognized external server over encrypted channels at regular intervals. Forensic analysis confirms the presence of malware that has established persistence through registry run keys and is actively exfiltrating sensitive data while modifying system files to evade standard security controls. Which TWO behavioral indicators are MOST commonly associated with active Trojan activity on a compromised host? (Choose two)
                      Answered: 0/10

                      Related Posts

                      Leave a Comment

                      Your email address will not be published. Required fields are marked *

                      Scroll to Top