312-50v13 ECCouncil Exam Lab Questions

CEH v13 emphasizes that advanced injection attacks often evade input validation through encoding and obfuscation. A Web Application Firewall (WAF) with evasion detection can analyze request patterns, payload behavior, and anomalies in real time.

Code reviews are important but reactive. SIEM correlates logs after attacks. 2FA does not prevent injection.

Thus, Option B provides the most effective immediate protection.

The correct answer is D. Post-Exploitation.

The scenario clearly occurs after initial access has already been obtained. The tester is no longer only discovering assets, identifying vulnerabilities, or exploiting the first weakness. Instead, the tester is modifying logging configurations, creating alternate access keys, maintaining persistence, and mapping privilege relationships inside the cloud tenant.

This aligns with the post-exploitation stage, where the tester evaluates what can be done after compromise, including maintaining access, enumerating privileges, understanding internal trust relationships, and documenting the impact of the compromise.

CEH-aligned methodology separates early activities such as information gathering and vulnerability scanning from later phases such as gaining access and maintaining access. The referenced methodology describes information gathering as collecting details such as IP addressing, protocols, open ports, device types, and vendor information, while later phases include gaining access, privilege escalation, backdoor installation, maintaining access, clearing logs, and covering tracks .

Option A. Exploitation is incorrect because exploitation is the phase where the initial vulnerability is actively used to gain access. In this scenario, the exposed credential has already been used.

Option B. Information Gathering is incorrect because the tester is not merely collecting external or pre-compromise information. The activity is taking place inside the cloud tenant after compromise.

Option C. Vulnerability Assessment is incorrect because vulnerability assessment focuses on identifying and validating weaknesses, not persistence, access key creation, or internal privilege mapping.

Option D. Post-Exploitation is correct because the tester is operating after compromise to maintain access and assess the internal impact.

Therefore, the best answer is D. Post-Exploitation.

This scenario describes a worm infection, as defined in CEH v13 Malware Threats. Worms are self-replicating malware that spread autonomously across networks without user interaction. Their propagation often results in excessive network traffic, system crashes, and resource exhaustion, which aligns with the symptoms described.

CEH v13 differentiates worms from other malware:

Ransomware encrypts data but does not self-propagate aggressively.

Trojans require user execution.

Rootkits focus on stealth and persistence rather than replication.

The appropriate response prioritizes containment and eradication. Quarantining affected systems prevents further spread. A network-wide antivirus sweep with updated signatures removes known worm variants. Updating operating systems closes vulnerabilities that worms exploit for propagation.

CEH v13 stresses rapid isolation and patching as critical measures to control worm outbreaks and restore network stability. Therefore, Option A is correct.

The described bypass is most consistent with using an in-line comment technique. Many simplistic SQL injection filters look for specific “blocked” keywords such as SELECT, UNION, OR, or DROP as contiguous strings. If the tester breaks a keyword apart by inserting tokens the database will ignore—most commonly comment delimiters—the filter may fail to match the forbidden keyword, while the SQL parser still reconstructs the intended meaning. For example, inserting comment markers inside a keyword can cause the application-layer filter to miss the pattern, yet the database can still process the statement depending on the DBMS and parsing rules. This is why comment-based obfuscation is a common SQLi evasion approach against weak signature filters.

The scenario’s wording “broken apart with unexpected symbols” maps well to comment markers such as /**/ (or other DBMS-specific comment forms). These characters look “unexpected” to a naïve filter, but to the SQL engine they are treated as comments/whitespace and effectively ignored during parsing, allowing the attacker’s intended keyword to be interpreted correctly.

Why the other options are less aligned:

String concatenation (A) is an obfuscation approach where attackers build keywords/strings using concatenation operators or functions (DBMS-specific). The scenario emphasizes splitting keywords with symbols that the DB interprets correctly as separators/ignored content, which more directly matches comment insertion.

Hex encoding (B) encodes parts of a payload (strings, sometimes function names) in hexadecimal form. That is a different technique than splitting keywords with inserted symbols.

Null byte (D) is historically used to terminate strings in certain contexts (more common in older file/path handling bugs) and is not the primary technique for bypassing keyword filters in modern SQL parsing.

Therefore, the SQL injection evasion technique is C. In-line Comment.