Based on the exhibit, what type of threat is the security team most likely seeing on the workstation?
The alert shows PowerShell launching with encoded commands, hidden execution, and no suspicious file written to disk. That behavior strongly suggests fileless malware, which relies on built-in tools and memory rather than dropping a traditional executable. The registry change also indicates persistence without a visible file-based payload.
Why this answer
The security team is most likely seeing fileless malware because the exhibit shows a PowerShell command that injects malicious code directly into memory (e.g., using Invoke-Mimikatz or a reflective DLL injection technique) without writing a persistent executable to disk. Fileless malware operates in-memory, leveraging legitimate system tools like PowerShell, WMI, or .NET to evade traditional signature-based antivirus detection, which matches the scenario described.
Exam trap
The trap here is that candidates often confuse fileless malware with a Trojan because both can use PowerShell, but the key distinction is that fileless malware avoids writing to disk, while a Trojan relies on a dropped executable file.
How to eliminate wrong answers
Option A is wrong because a Trojan is a malicious program disguised as legitimate software that typically writes itself to disk and requires user execution, whereas the exhibit shows code running in memory without a persistent file. Option C is wrong because a worm is a self-replicating malware that spreads across networks by exploiting vulnerabilities, not by executing in-memory scripts on a single workstation. Option D is wrong because a rootkit is designed to hide its presence and maintain privileged access by modifying the operating system kernel or boot process, not by running transient in-memory scripts via PowerShell.