The Certified Ethical Hacker Exam (CEHv13) (312-50v13)

The described activity most directly matches a firmware update attack. In CEH coverage of IoT and OT threats, firmware represents the low-level code that runs on embedded devices and industrial controllers, and compromising it is one of the most impactful persistence methods because it survives reboots and often persists through normal configuration resets. The scenario states that Sameer “replaces one of the system’s firmware components with a custom payload” and that the payload “maintains access across reboots.” Those are signature characteristics of a firmware-level compromise, typically achieved through insecure firmware update mechanisms, weak signing or verification controls, exposed update interfaces, or inadequate access controls on management ports.

A firmware update attack can occur when devices accept unsigned firmware, use weak integrity checks, allow downgrade to vulnerable versions, or expose update services without strong authentication. Once malicious firmware is installed, it can covertly execute commands, manipulate device behavior, hide its presence from higher-level monitoring, and create a durable foothold in OT environments where patching and reimaging are difficult. CEH emphasizes that OT devices such as programmable controllers and substation automation equipment are especially sensitive because firmware tampering can affect availability and safety, not just confidentiality.

Remote access using a backdoor is a broader concept and could be the payload’s function, but the primary technique here is achieving persistence by modifying firmware. Forged malicious device refers to introducing rogue hardware, and exploit kits are typically used for automated exploitation on endpoints, not controller firmware replacement.

CEH v13 explains that SQL injection typically occurs when user inputs are concatenated into SQL queries without proper validation or parameterization. The login form is one of the most common injection targets, and testers use specific test payloads designed to manipulate the authentication query. A classic test string such as ' OR ' 1 ' = ' 1 exploits conditional logic to force the SQL statement to evaluate as true, effectively bypassing authentication if the application is vulnerable. CEH notes that this technique is a standard initial test because it is low-risk, easily detectable if vulnerable, and directly confirms improper sanitization. JavaScript injection (Option A) tests for XSS, not SQLi. Directory traversal (Option C) targets file path vulnerabilities rather than SQL queries. Brute-force attacks (Option D) rely on guessing credentials and do not test input sanitization. Therefore, using a logical SQL injection payload is the most appropriate and CEH-aligned method.

Insufficient logging and monitoring is the most direct threat highlighted by the scenario. In CEH-aligned cloud security concepts, visibility is foundational: without adequate telemetry, security teams cannot detect, investigate, or respond to malicious activity in time. The question explicitly states attackers “remained undetected” because the organization lacked mechanisms to track function-level activity and capture anomalous events. In a serverless architecture, this visibility gap can be especially damaging because there are no traditional servers for defenders to log into, and many security signals must be collected from cloud-native sources such as function invocation logs, API gateway logs, identity events, and centralized monitoring pipelines.

While privilege escalation is a common cloud threat, the question’s root cause is not described as excessive permissions or role abuse; it is the lack of detection capability. Loss of governance refers to weak policies, mismanaged accounts, and lack of control over cloud resources, which may contribute indirectly but is not the immediate failure described. Side-channel attacks are specialized and do not match the evidence of missed alerts and absent operational telemetry.

CEH guidance emphasizes implementing centralized logging, continuous monitoring, alerting, and anomaly detection as core controls. For serverless, this includes capturing detailed function execution logs, tracing, identity and access events, and integrating them into a SIEM/SOAR workflow. Effective monitoring enables rapid detection of abnormal invocation patterns, suspicious API calls, unusual data access, and persistence attempts—reducing dwell time and preventing small compromises from becoming major outages.

The algorithm described most accurately matches RSA. CEH cryptography coverage explains that RSA is a widely used public-key cryptosystem that supports both encryption and digital signatures. In a typical RSA-based signature process, the sender generates a hash of the message and applies their private key using modular exponentiation to create a digital signature. The recipient then uses the sender’s public key to verify the signature, also through modular exponentiation operations involving large prime numbers and a modulus. The scenario specifically references modular exponentiation for generating digital signatures, which is a defining mathematical operation in RSA.

Diffie-Hellman is primarily a key exchange algorithm and does not provide digital signatures by itself. It enables two parties to establish a shared secret over an insecure channel but does not authenticate messages directly through signing. ElGamal does support encryption and can be adapted for signatures, but in standard CEH-oriented contexts, RSA is the most commonly referenced algorithm for public-key encryption and digital signatures in payment systems. DSA is strictly a digital signature algorithm and does not provide encryption functionality; the prompt describes a broader public-key cryptosystem used for authenticity of payment confirmations, which aligns more directly with RSA’s dual capability.

Additionally, RSA’s reliance on key pairs stored and retrieved from directories fits the description of public-key verification in enterprise payment infrastructures. Therefore, RSA is the correct identification.

The scenario points to a JavaScript-based keylogger because the data capture occurs entirely within a web page and does not require installing software on the victim’s machine. In CEH-aligned social engineering and web attack concepts, phishing pages commonly include client-side scripts that capture form inputs in real time. When a user types credentials into a fake login form, JavaScript event handlers can record keystrokes or the final field values and transmit them to an attacker-controlled endpoint. This explains why Tyler’s “payload” works without local privilege, without dropping executables, and without triggering traditional antivirus focused on file-based malware. The key detail is that “captured keystrokes came exclusively from a web-based form embedded in the fake login page,” which matches browser-based capture rather than OS-level logging.

The other options imply deeper system access than the prompt describes. A keyboard keylogger typically operates at the operating-system level by intercepting keyboard input system-wide, which usually requires running code on the host and is more likely to be detected by endpoint protections. A hypervisor-based keylogger is a highly advanced technique that relies on virtualization-layer control and is not consistent with a simple phishing web page. An application keylogger usually targets specific processes on the endpoint (such as browsers or email clients), again requiring execution on the local machine.

From a defensive viewpoint emphasized in CEH, mitigations include user awareness training to spot phishing pages, enforcing MFA to reduce the value of stolen credentials, using anti-phishing protections and URL filtering, monitoring for lookalike domains, and deploying browser and email security controls that detect credential-harvesting pages and suspicious form-post destinations.

The correct answer is A, Mimikatz. In CEH system hacking and post-exploitation topics, Windows credential attacks commonly focus on hashes, cached credentials, Kerberos tickets, and authentication material stored in memory or in Windows credential stores. The CEH-related material identifies Mimikatz as the de facto standard tool for extracting credentials from Windows memory and states that it can steal hashes, PIN codes, and Kerberos tickets from memory, as well as support pass-the-hash, pass-the-ticket, and Golden Ticket attacks. This directly matches the question’s phrase “dumps Windows hashes.” John the Ripper is mainly a password-cracking tool used after hashes are obtained. Hydra is primarily an online login/password attack tool for network services. Aircrack-ng is used mainly for wireless password/key cracking. Therefore, among the options, Mimikatz is the tool most specifically associated with dumping Windows credentials and hashes during the system hacking phase.

The correct answer is B. Stealth Virus because the defining characteristic described is hiding malicious presence by intercepting operating system calls and masking changes so that normal tools (including antivirus scans) do not observe the infection. In CEH-aligned malware concepts, stealth viruses are designed to evade detection by concealing modifications to files, boot records, or system areas. They commonly do this by hooking system functions or APIs so that when the OS or a security product requests file contents, sizes, checksums, directory listings, or other metadata, the virus returns clean-looking or original data instead of the infected/modified version. This makes infected files appear to “function normally,” while the malware remains active in memory and persists on disk.

The scenario explicitly mentions that “infected files continue to function normally” and that the malware “conceals its modifications by intercepting operating system calls.” That is the classic behavior of stealth techniques: manipulate what the system reports, not necessarily change the outward behavior of the application. The repeated “no threats detected” results also align: signature-based or basic scanning can be blinded when the malware controls the interface through which the scanner reads target files or system structures.

Why the other options are less correct: a polymorphic virus focuses on changing its code/signature between infections to evade signature-based detection, but the key clue here is OS call interception and hiding modifications, not code mutation. A macro virus targets macro-enabled documents and spreads through macro execution in office applications; it is not primarily defined by OS-level call hooking. A cavity virus (spacefiller) hides by inserting itself into unused areas of a file without changing the file size, but the scenario’s emphasis is on intercepting OS calls to conceal changes, which is more directly the stealth-virus behavior.

Therefore, Ryan most likely deployed a stealth virus.

The correct answer is B because signature-based IDS detection depends on matching known byte patterns, strings, payload structures, or attack signatures. Polymorphism is highly effective against this model because it changes the appearance of the payload while preserving the same functionality. CEH-aligned material explains that IDSs mainly work by comparing traffic against a signature database, and signature detection only identifies attacks whose signatures exist in that database. It also states that polymorphic shellcodes evade IDS by modifying the attack payload so it no longer matches the default IDS signature. Obfuscation is a broader technique and may include encoding or formatting changes, but polymorphism is more directly aimed at defeating static signatures. Encryption can hide traffic from inspection, but it depends on whether the IDS can decrypt or inspect the session. Port scanning is reconnaissance, not IDS bypass. Therefore, polymorphism is the most precise CEH answer.

According to CEH v13 System Hacking and Web Application Hacking, once reconnaissance and footprinting are complete, attackers typically move into controlled exploitation while maintaining stealth. Since the CEH has already identified a session hijacking vulnerability, leveraging that weakness is the most logical and stealthy progression.

Session hijacking allows attackers to impersonate legitimate users without triggering authentication alerts, making it significantly less detectable than brute-force or scanning activities. Option B aligns with CEH methodology: hijacking a valid session provides authorized-level access, which can then be abused to make configuration changes discreetly.

SQL injection (Option A) may trigger database errors and IDS alerts. Brute-force attacks (Option C) are noisy and easily logged. Automated vulnerability scanning (Option D) generates excessive traffic and is typically avoided once exploitation begins.

CEH v13 emphasizes using already-identified weaknesses and minimizing footprint during exploitation. Therefore, Option B is correct.