ECCouncil 312-50v13 Based on Real Exam Environment

CEH v13 explains that directory traversal (also called path traversal) occurs when an application improperly handles user-supplied input used for file path generation. Attackers exploit this by inserting traversal sequences such as ../ beyond the intended directories, gaining access to sensitive files like /etc/passwd, configuration data, or source code. The vulnerability arises from missing input validation and failure to restrict file access to safe directories. CEH stresses that directory traversal is common in file handling functions such as view, download, or include operations. Brute-forcing credentials (Option A) is unrelated. XSS (Option C) targets script injection into web pages, not file access. Buffer overflow (Option D) manipulates memory, not file paths. Therefore, the scenario represents classic directory traversal exploitation.

The scenario describes an on-device, app-based rooting approach that does not rely on a PC connection, USB debugging, or a bootloader unlock workflow. In CEH mobile platform coverage, this aligns with “one-click” rooting tools that package exploits to elevate privileges directly from user space to root on the device. These tools typically target known vulnerabilities in the Android OS, vendor kernels, or system services to obtain root privileges and then install a management component to maintain elevated access.

KingoRoot is commonly cited in ethical hacking training contexts as a popular one-click rooting solution that can run as an Android application and attempt to root a device without a computer, depending on the device model, Android version, and patch level. This directly matches the prompt: Sofia installs a mobile application, it “exploits a system vulnerability,” and it achieves root “without requiring a PC.” The constraints given, USB debugging disabled and OEM unlock restrictions, make PC-assisted ADB workflows or bootloader-based rooting less feasible, which further supports an exploit-driven, on-device rooting tool.

Magisk Manager is primarily a root management and systemless modification framework and typically assumes the device is already rooted or that the user can patch the boot image and flash it, often requiring bootloader unlock steps that OEM restrictions would block. “One Click Root” is a generic label rather than a specific tool in many CEH-style question banks. RootMaster is another one-click tool, but KingoRoot is the most widely recognized and frequently referenced for direct APK-based rooting in this context.

CEH v13 identifies AI-powered malware as an emerging advanced threat that adapts its execution based on environmental cues and user behavior. Unlike traditional polymorphic malware, AI-driven malware can dynamically decide when and how to execute actions to avoid detection.

The described traits—behavioral adaptation, idle-time exfiltration, encrypted communication—are hallmarks of AI-assisted malware.

Polymorphic viruses change signatures but do not adapt behavior intelligently. Rootkits focus on hiding presence. Worms propagate aggressively.

Therefore, Option A is correct.

Fileless malware is the best match because the scenario highlights memory-resident execution with no malicious files written to disk and activity that disappears after a reboot. In CEH-aligned malware concepts, fileless attacks commonly leverage legitimate system tools and trusted processes, often called living off the land, to execute malicious logic without dropping traditional executables. PowerShell is one of the most frequently abused components for this purpose because it can download, decode, and run scripts directly in memory, including obfuscated commands that evade simple signature-based scans. The prompt explicitly states that endpoint scanners find no malicious files on disk, yet telemetry detects a trusted process executing obfuscated PowerShell commands in memory. That combination strongly indicates fileless behavior.

The fact that the anomaly vanishes on reboot also fits fileless techniques that rely on volatile memory artifacts rather than persistent file-based implants. While fileless attacks can establish persistence through registry run keys, scheduled tasks, WMI, or other mechanisms, the question emphasizes no footprint and reboot clearing the activity, which is consistent with a purely in-memory foothold or a short-lived execution chain.

A worm is characterized by self-replication across systems, which is not described. A trojan usually involves a malicious file disguised as legitimate software, conflicting with the “no files on disk” observation. A rootkit focuses on stealth and hiding by modifying system internals and can persist, but the scenario’s defining indicators are PowerShell in-memory execution and lack of disk artifacts, which aligns most directly with fileless malware.