312-50v13 Leak Questions

The correct answer is D. Code Execution.

The phishing email and attachment represent the initial delivery or point of entry. However, the question asks about the moment after the attachment is opened, when built-in scripting utilities inject malicious instructions into a legitimate running process. At that stage, the attacker’s code is actively executing in memory without a standalone malicious executable on disk.

This is the code execution phase of a fileless attack. Fileless attacks often abuse trusted system tools, scripts, and legitimate processes to execute malicious instructions directly in memory. A related privilege-escalation reference describes “Living Off the Land Binaries and Scripts” as Microsoft-signed files, scripts, or libraries that can be used by APT or red-team operators for unexpected attacker functionality .

Option A. Persistence is incorrect because persistence would involve maintaining access through registry keys, scheduled tasks, services, startup folders, or similar mechanisms. The scenario states these changes had not yet occurred.

Option B. Point of Entry is incorrect because the entry point was the phishing email attachment. The question focuses on the execution that occurs after opening it.

Option C. Achieving Objectives is incorrect because no final objective, such as data theft, lateral movement, or impact, is described.

Option D. Code Execution is correct because malicious instructions are running inside legitimate processes.

Therefore, the best answer is D. Code Execution.

The CEH Cloud Security module highlights identity and access management (IAM) failures as a major source of cloud breaches. Ensuring timely de-provisioning of user accounts when employees leave is a core security control.

Option C is correct.

Options A and B detect issues but don’t prevent access persistence.

Option D is unrelated to access control.

CEH stresses joiner–mover–leaver (JML) processes.

The correct answer is B. Cryptographically binding authentication tokens to the TLS connection context.

The scenario describes a defense against session token replay. The attacker/tester has a valid authentication identifier, but the application rejects it when it is reused from a different machine and a different encrypted channel. This indicates that the token is not accepted by itself; it is tied to the original TLS-secured session context.

CEH-aligned session hijacking material explains that session replay occurs when an attacker captures an authentication token and replays the request to obtain unauthorized access. It also describes session hijacking as taking over an authenticated session after authentication has already completed . TLS material explains that TLS provides secure communication, peer authentication, shared-secret generation, and secure session establishment between endpoints . Binding the token to the TLS context prevents a captured token from being reused over a different TLS connection.

Option A. Encrypting DNS resolution traffic using DNS over HTTPS is incorrect because DNS over HTTPS protects DNS lookups, not application session tokens.

Option C. Applying IPsec protection at the network layer is incorrect because IPsec protects traffic at the network layer. The question specifically describes an application-issued authentication identifier being validated against the original secure exchange.

Option D. Enforcing HTTP Strict Transport Security is incorrect because HSTS forces browsers to use HTTPS, but it does not cryptographically bind a token to a specific TLS channel.

Therefore, the best answer is B. Cryptographically binding authentication tokens to the TLS connection context.

The tool described is most consistent with Bettercap. Bettercap is a lightweight, extensible framework commonly used in controlled security testing for man-in-the-middle (MITM) operations on local networks. It supports ARP spoofing/ARP poisoning to position the attacker between victims and gateways, enabling interception of traffic. It also supports DNS manipulation/spoofing (e.g., redirecting domain lookups to attacker-controlled destinations) and packet injection capabilities for modifying or inserting traffic. Importantly, it provides an interactive interface that allows real-time session visibility and control, which matches the scenario’s emphasis on interactive monitoring while intercepting internal web application traffic.

The objective described—capturing and manipulating session tokens in transit—is consistent with a MITM platform that can observe HTTP traffic (or influence traffic where TLS is not properly enforced or where testing includes trusted certificates in a lab). Bettercap’s design as an “all-in-one” local network attack and monitoring tool makes it a typical choice for demonstrating risks from weak network segmentation, insecure DNS, lack of HTTPS/HSTS, or insufficient endpoint protections against ARP spoofing.

Why the other options are less suitable:

Wireshark (A) is primarily a packet analyzer/sniffer; it does not inherently perform ARP spoofing, DNS manipulation, or injection as an active MITM tool.

Hetty (B) and Caido (C) are web-focused interception/testing tools (proxy-style workflows). They can intercept HTTP/S when configured as a proxy, but they do not natively specialize in LAN-layer ARP spoofing and DNS manipulation for transparent MITM in the same way as Bettercap.

Therefore, the most likely tool is D. Bettercap.