Certified Ethical Hacker (CEH v13) — Question 270

In an advanced persistent threat scenario, an adversary follows a detailed set of procedures in the cyber kill chain. During one such instance, the adversary has successfully gained access to a corporate network and now attempts to obfuscate malicious traffic within legitimate network traffic. Which of the following actions would most likely be part of the adversary's current procedures?

Answer options

• A. Employing data staging techniques to collect and aggregate sensitive data.
• B. Initiating DNS tunneling to communicate with the command-and-control server.
• C. Establishing a command-and-control server to communicate with compromised systems.
• D. Conducting internal reconnaissance using PowerShell scripts.

Correct answer: B

Explanation

The correct answer is B because DNS tunneling allows the adversary to covertly send and receive data to and from the command-and-control server while blending in with normal DNS traffic. Options A, C, and D do not specifically address the need to obfuscate malicious traffic within legitimate traffic at this stage of the attack.