ECCouncil Updated 312-50v13 Exam Questions and Answers by ivor

Fileless malware is the best match because the scenario highlights memory-resident execution with no malicious files written to disk and activity that disappears after a reboot. In CEH-aligned malware concepts, fileless attacks commonly leverage legitimate system tools and trusted processes, often called living off the land, to execute malicious logic without dropping traditional executables. PowerShell is one of the most frequently abused components for this purpose because it can download, decode, and run scripts directly in memory, including obfuscated commands that evade simple signature-based scans. The prompt explicitly states that endpoint scanners find no malicious files on disk, yet telemetry detects a trusted process executing obfuscated PowerShell commands in memory. That combination strongly indicates fileless behavior.

The fact that the anomaly vanishes on reboot also fits fileless techniques that rely on volatile memory artifacts rather than persistent file-based implants. While fileless attacks can establish persistence through registry run keys, scheduled tasks, WMI, or other mechanisms, the question emphasizes no footprint and reboot clearing the activity, which is consistent with a purely in-memory foothold or a short-lived execution chain.

A worm is characterized by self-replication across systems, which is not described. A trojan usually involves a malicious file disguised as legitimate software, conflicting with the “no files on disk” observation. A rootkit focuses on stealth and hiding by modifying system internals and can persist, but the scenario’s defining indicators are PowerShell in-memory execution and lack of disk artifacts, which aligns most directly with fileless malware.

In OT hacking methodology, once exposed industrial assets have been identified, the next logical step—before attempting exploitation—is to actively assess those assets for weaknesses. The scenario states the tester is “actively probing controllers, services, and interfaces to identify exploitable weaknesses” and explicitly confirms that no exploitation attempts or persistence mechanisms have occurred. That combination maps most closely to the Vulnerability Scanning phase.

Vulnerability scanning in OT contexts includes carefully enumerating and assessing industrial components such as PLCs, HMIs, historians, engineering workstations, and industrial gateways. The goal is to discover issues like outdated firmware, insecure services, weak authentication, exposed management interfaces, misconfigurations, and known CVEs affecting industrial protocols or device web consoles. “Actively probing” is an important clue: information gathering can be passive (asset inventories, diagrams, OSINT, passive network visibility), but scanning moves into active interaction with hosts and services to identify vulnerabilities—still short of exploitation.

The other answer choices do not align with the described boundaries. Gain Remote Access implies initial compromise or establishing access paths (e.g., leveraging credentials, remote services, or exploits) and is a later step once weaknesses are identified and selected. Launch Attacks is even further along, where exploitation or disruption actions occur. Information Gathering would fit earlier when the tester is identifying assets and collecting details with minimal interaction; however, the scenario says that stage is already past (“has already identified exposed industrial assets”) and that the tester is now probing for exploitable weaknesses.

Therefore, the current phase is D. Vulnerability Scanning.

Priya is performing Verification because the team has already completed the remediation work (patches and fixes), and is now conducting follow-up scans and attack-surface review to confirm that the applied changes actually resolved the identified vulnerabilities. In a standard vulnerability-management lifecycle, remediation is the phase where vulnerabilities are addressed through actions such as patching, configuration hardening, compensating controls, or removing vulnerable services. Verification comes immediately after remediation to ensure fixes are effective, nothing was missed, and no new issues were introduced.

The scenario’s sequencing is the strongest clue: “already applied patches and fixes” means remediation is done; “run follow-up scans…to confirm” indicates validation of remediation outcomes; and “only after this step will she prepare a compliance report” reflects that organizations typically require evidence that remediation is effective before reporting status to leadership or auditors. Verification often includes rescanning the affected assets, checking configuration baselines, validating that vulnerable versions are no longer present, ensuring services are running as intended, and confirming that the original finding cannot be reproduced.

Why the other options do not match:

Remediation (D) would be the patching/fixing activity itself, which has already occurred.

Risk Assessment (C) is the prioritization and impact evaluation stage, typically performed before remediation to decide what to fix first and how urgently.

Monitoring (A) is ongoing observation and continuous assessment (tracking exposure, trends, new vulnerabilities), but Priya’s specific task is a post-fix confirmation step, which is verification.

Therefore, the correct phase is B. Verification.

The CEH Web Application Hacking module identifies Session Fixation as a powerful session management attack that can bypass advanced authentication controls, including MFA.

In session fixation, the attacker forces the victim to authenticate using a session ID already known to the attacker. Once authentication completes, the attacker hijacks the valid session without needing credentials.

Option A directly targets session management logic.

Option B exploits authorization logic, not session handling.

Option C is unrelated to session management.

Option D is mitigated by encrypted cookies and HTTPS.

CEH explicitly warns that applications must regenerate session IDs after authentication.