ECCouncil Updated 312-50v13 Exam Questions and Answers by tom

The evidence points to a User Account Control bypass. In CEH coverage of Windows privilege escalation, UAC is a protection mechanism intended to prevent silent elevation of privileges, typically prompting the user when an action requires administrative rights. However, certain Windows binaries are “auto-elevate” (often trusted, signed Microsoft executables) and can run with elevated privileges under specific conditions without showing a UAC prompt. Attackers abuse this behavior by manipulating user-writable registry locations—commonly under the current user hive—to influence how these trusted binaries launch other components.

The scenario describes exactly that pattern: a non-elevated process starts an auto-elevate executable such as fodhelper.exe, eventvwr.exe, or sdclt.exe, and the system executes unauthorized code with no prompt. The key forensic clue is “manipulation of shell-related keys under the current user hive,” which is a hallmark of UAC bypass techniques that hijack file association or shell open commands so the trusted binary invokes an attacker-controlled payload instead of the intended system action. Because the modification occurs in HKCU, it can often be performed without administrator privileges, making it attractive for stealthy elevation.

The other options do not match as well. Kernel exploitation involves abusing OS kernel vulnerabilities and would not hinge on shell registry hijacks. Scheduled tasks typically leave task artifacts and are a persistence/execution method rather than this specific auto-elevate redirection behavior. DLL hijacking focuses on search-order abuse for loading malicious DLLs, not shell key redirection tied to UAC auto-elevation.

CEH v13 explains that ARP poisoning (also known as ARP spoofing) occurs when an attacker sends forged ARP replies across the network to associate their MAC address with multiple IP addresses, tricking hosts into sending traffic through the attacker’s machine. This results in routing inconsistencies, intermittent connectivity, failed logins, and degraded intranet performance—exactly the symptoms described. ARP poisoning typically involves unsolicited ARP replies, which overwrite legitimate ARP cache entries. CEH emphasizes that ARP-based attacks are common on LANs because ARP lacks authentication, allowing attackers to impersonate gateways or key hosts. DHCP snooping misconfigurations (Option B) affect IP allocation, not ARP mappings. Legitimate ARP refreshes (Option C) are request-based and do not involve flooding unsolicited replies. Port security restrictions (Option D) block MAC anomalies, not create them. Therefore, ARP poisoning is the correct root cause.

The most direct guideline is D. Register devices with a remote locate and wipe facility because the incident’s core impact came from two factors: loss of physical control of the device and continued exposure of sensitive records while the device remained active. A remote locate-and-wipe capability (commonly delivered through Mobile Device Management (MDM) / Enterprise Mobility Management (EMM) platforms) addresses both problems immediately: it enables administrators to identify the device’s last known location (or trigger location reporting) and, critically, to remotely lock or wipe the device to prevent ongoing unauthorized access to patient data.

In healthcare environments handling regulated data, the priority during a lost-device event is rapid containment. Even if device tracking alone can help find the phone, it does not guarantee that sensitive information stops being accessed during the search. Remote wipe (often paired with remote lock, enforced encryption, and policy-based access control) reduces exposure time by allowing responders to remove protected data and invalidate application access. This is particularly important when the device is still connected to the network, because an attacker (or unauthorized holder) could continue using cached sessions, stored tokens, or locally available records until access is cut off.

Why the other options are less direct: A (anti-virus/DLP) may help detect malware or control data movement, but it does not solve the immediate lost-device containment requirement. B (VPN on public Wi-Fi) is unrelated because the problem is physical loss and inability to control the endpoint. C (install tracking software) helps locate the device, but the scenario highlights that sensitive records were exposed for hours; the most direct impact reduction is achieved when the organization can both locate and wipe/lock the device through an enrolled, centrally managed capability.

Therefore, enrolling devices in a remote locate and wipe facility would have most directly reduced the breach impact.

This scenario describes Platform as a Service (PaaS) because the provider delivers a managed platform where developers can deploy and run custom applications while the provider manages the underlying infrastructure components—servers, operating systems, storage, and often middleware/runtime components. The customer is responsible for application code and logic (and usually data and application configuration), but not for provisioning or maintaining the base compute and OS layers.

The key phrasing is: “developers can deploy and test custom applications without managing the underlying servers, operating systems, or storage,” and “the firm controls the application logic but not the runtime infrastructure.” That is the hallmark responsibility split of PaaS: the provider handles infrastructure and platform operations, enabling rapid development and deployment through managed runtimes, build/deploy pipelines, and scalable services.

Why the other models don’t fit:

IaaS (A) would require the customer to manage the OS and many platform components (patching, runtime configuration, middleware), even though the provider supplies the virtualized infrastructure. The scenario explicitly says they do not manage OS or servers.

SaaS (C) provides a complete finished application that the customer uses; customers typically cannot deploy their own custom application logic onto it in the way described.

XaaS (D) is a broad umbrella term, not the specific NIST-style service model classification being asked.

Therefore, the correct answer is B. Platform as a Service (PaaS).