Certified Ethical Hacker (CEH v12) — Question 130

In an advanced persistent threat scenario, an adversary follows a detailed set of procedures in the cyber kill chain. During one such instance, the adversary has successfully gained access to a corporate network and now attempts to obfuscate malicious traffic within legitimate network traffic. Which of the following actions would most likely be part of the adversary's current procedures?

Answer options

• A. Employing data staging techniques to collect and aggregate sensitive data.
• B. Initiating DNS tunneling to communicate with the command-and-control server.
• C. Establishing a command-and-control server to communicate with compromised systems.
• D. Conducting internal reconnaissance using PowerShell scripts.

Correct answer: B

Explanation

The correct answer, B, is accurate because DNS tunneling allows the attacker to covertly communicate with their command-and-control server by embedding data in DNS queries. Option A is incorrect as it pertains to data collection, while C focuses on establishing a server, which is not the current action being taken. Option D involves reconnaissance, which is not about obfuscating traffic.