ECCouncil Updated 312-50v13 Exam Questions and Answers by zohan

According to CEH v13 Security Operations and Incident Response, backdoors are stealth mechanisms that allow attackers persistent access. Indicators such as unexplained outbound traffic, unauthorized file modifications, and irregular reboots strongly suggest post-compromise persistence mechanisms.

CEH v13 recommends a behavioral and host-based detection approach for backdoor identification. Continuous monitoring of system and file activity helps detect unauthorized binaries, registry changes, and scheduled tasks. Anomaly detection identifies deviations from normal system behavior, which is critical for uncovering hidden backdoors that evade signature-based detection.

Additionally, advanced anti-malware tools with heuristic and memory analysis capabilities are essential to identify sophisticated backdoors that traditional antivirus may miss. These tools can detect rootkits, fileless persistence, and covert communication channels.

The other options are preventative but not investigative. Immediate reboots may destroy volatile evidence, while password policies and ACLs do not detect existing compromises. Therefore, option B provides the most effective and CEH-aligned response.

CEH v13 classifies this malware as fileless malware, which resides in memory and abuses legitimate system tools (Living-off-the-Land techniques). Traditional antivirus solutions are often ineffective.

CEH v13 recommends:

Script control (PowerShell Constrained Language Mode)

Application whitelisting

Monitoring parent-child process relationships

These measures directly target the malware’s execution method. Reboots and folder cleanup do not address in-memory persistence.

The described action is classic web server footprinting through banner grabbing. In CEH reconnaissance methodology, banner grabbing is used to identify a target’s service details by eliciting and analyzing standard protocol responses. When Sofia sends a simple HTTP request such as GET / HTTP/1.0, the server often responds with HTTP headers that may include fields like Server and sometimes X-Powered-By, which can reveal the web server product and version, and occasionally information that hints at the underlying operating system or framework. This disclosure is valuable to attackers because it enables targeted exploitation: once the exact server and version are known, an attacker can correlate that information with known vulnerabilities, misconfigurations, and exploit code.

This is not information gathering from robots.txt, which is a web file used to suggest crawler behavior and sometimes reveals hidden paths but does not inherently expose server software versions. It is also not directory brute forcing, which involves systematically guessing directories and files to find hidden endpoints. Vulnerability scanning is broader and typically involves automated checks to detect vulnerabilities; while banner information can be an input to scanning, the technique shown here is specifically identification through response headers.

CEH-aligned mitigation includes disabling or minimizing server signature information, removing unnecessary headers, keeping server software patched, and using secure configurations and reverse proxies to reduce information leakage during reconnaissance.

CEH v13 identifies covert channels in legacy industrial protocols as among the hardest sniffing techniques to detect. Modbus, widely used in OT and ICS environments, lacks authentication and encryption, making it ideal for covert communication.

Attackers can manipulate function codes and payload timing to exfiltrate data without triggering traditional IDS signatures. CEH v13 highlights that OT protocols often bypass deep inspection tools, making covert channels extremely stealthy.

Other options are less realistic or less persistent in modern enterprise environments.