ECCouncil Updated 312-50v13 Exam Questions and Answers by aylin

Tiny Fragments is the technique described because it relies on IP fragmentation to evade firewall or packet-filter inspection by splitting critical header and payload information across multiple fragments. In CEH-aligned network evasion concepts, some security devices make allow or deny decisions by inspecting specific fields and patterns in the first fragment of a packet or by performing limited reassembly. If the attacker deliberately crafts fragments that are unusually small, the first fragment may not contain enough of the TCP header or higher-layer data for the firewall to properly evaluate the packet against its rules and signatures. The remaining TCP header bytes or meaningful payload patterns can be pushed into subsequent fragments, which may pass through because the device cannot correlate them correctly or does not fully reassemble traffic before inspection.

The question’s key clue is that Ethan is “forcing some TCP header information into subsequent packets” to bypass checks. That phrasing is a direct match to fragmentation-based evasion rather than identity deception or tunneling. IP address spoofing changes the apparent source IP, but it does not specifically move TCP header details into later fragments. Source routing is an old technique to influence packet pathing using IP options and is typically blocked in modern environments; it also does not describe splitting TCP header content. HTTP tunneling encapsulates non-HTTP traffic inside HTTP to pass through proxies or firewalls, which is a different mechanism than fragmentation.

Therefore, the correct firewall bypass technique in this scenario is Tiny Fragments.

The indicators described align most strongly with the Search and Exfiltration phase of the APT lifecycle. In CEH-aligned APT models, attackers typically progress from initial access to establishing footholds, expanding access through internal reconnaissance and lateral movement, then locating valuable data and exfiltrating it. While spear-phishing is a common Initial Intrusion technique, the scenario explicitly includes multiple signals that the attackers are already deep inside the environment and actively handling sensitive information.

The key evidence is the “unusually large data transfers during non-business hours” tied to the R&D department and “unexpected outbound traffic to unfamiliar IP addresses.” Those are classic signs of staging and exfiltration, where collected data is aggregated internally and then sent out to attacker-controlled infrastructure, often at times chosen to reduce detection. The observation that attackers have “intimate knowledge of the organization’s internal data structure” further supports that they have already performed internal discovery and are now targeting specific high-value repositories.

Unauthorized firmware on printers and routers suggests the attackers may have created durable internal collection points or covert channels, but that activity supports and enables the data-theft mission rather than being the primary phase indicated by the full pattern of events. Therefore, the combination of targeted access to R&D resources, anomalous outbound connections, and large off-hours transfers most closely matches the Search and Exfiltration phase in CEH APT lifecycle coverage.

Hacktivists are the most likely category because the scenario is driven by an ideological or political motive rather than direct financial gain. The attackers selectively accessed internal systems and leaked communications, then paired the leak with a manifesto accusing the agency of biased reporting. They also publicly claimed responsibility on social media and framed the intrusion as a fight against misinformation. In CEH-aligned terminology, hacktivism commonly involves unauthorized access, defacement, doxxing, or data leakage intended to influence public opinion, embarrass a target, or push a political or social agenda. The public messaging and justification are key indicators of hacktivist intent.

The other options do not fit as well. Script kiddies typically use ready-made tools with limited sophistication and usually do not produce coordinated ideological messaging or targeted, narrative-driven leaks. Black hat hackers are defined by malicious intent, but they are most commonly associated with theft for profit, extortion, fraud, or ransomware. This incident explicitly notes there was no ransomware and no financial tampering, reducing the likelihood that profit was the primary objective. White hat hackers operate with authorization and documented scope, and they do not leak sensitive whistleblower communications or publish manifestos.

Therefore, the combination of unauthorized access, selective exposure of sensitive information, and public ideological justification aligns most strongly with hacktivists.

The correct answer is D. Application Keylogger because the scenario describes keystroke capture from desktop applications on a Windows workstation without installing kernel drivers and without requiring physical access or browser-level script injection. In CEH-aligned keylogger classifications, an application (user-mode) keylogger operates at the application layer by using user-space techniques such as hooking common Windows APIs (for example, keyboard input functions and message-handling routines) to intercept keystrokes as they are processed by applications. This enables logging of credentials typed into local programs, draft emails written in desktop clients, and sensitive text entered into business tools—exactly the outcome Tyler observed.

The question provides two strong eliminators. First, it states no kernel drivers were installed, which rules out kernel keyloggers that capture input at the kernel level (often requiring driver installation and deeper OS integration). Second, it states the attack did not require browser injection, which rules out a JavaScript keylogger (typically implemented by injecting script into a web page/application to capture form inputs within a browser session). It also explicitly notes that there was no physical device access, which rules out a hardware keylogger (a physical device placed between keyboard and computer or embedded in a keyboard) that requires in-person installation.

Application keyloggers are frequently used in post-exploitation because they can be deployed quickly with standard user-level privileges (though higher privileges may expand coverage), can target a broad range of applications, and can run covertly. From a defense perspective, monitoring for suspicious API hooking behavior, unusual process injection, abnormal input-capture patterns, and endpoint controls that detect credential access techniques are common countermeasures.

Therefore, given the constraints and the observed logging of desktop application input, the most likely keylogger type is an application keylogger.