nerdexam
EC-Council

312-50V10 · Question #839

Clark is a professional hacker. He created and configured multiple domains pointing to the same host to switch quickly between the domains and avoid detection. Identify the behavior of the adversary I

The correct answer is A. use of command-line interface. Clark creates multiple domains pointing to the same host and rotates between them to avoid detection, a technique classified as use of command-line interface in adversary behavior.

Evading IDS, Firewalls, and Honeypots

Question

Clark is a professional hacker. He created and configured multiple domains pointing to the same host to switch quickly between the domains and avoid detection. Identify the behavior of the adversary In the above scenario.

Options

  • Ause of command-line interface
  • BData staging
  • CUnspecified proxy activities
  • DUse of DNS tunneling

How the community answered

(56 responses)
  • A
    84% (47)
  • B
    2% (1)
  • C
    5% (3)
  • D
    9% (5)

Why each option

Clark creates multiple domains pointing to the same host and rotates between them to avoid detection, a technique classified as use of command-line interface in adversary behavior.

Ause of command-line interfaceCorrect

In adversary operational tradecraft, use of the command-line interface refers to leveraging CLI-based scripting and automation to configure and manage multiple domain entries that resolve to the same host, enabling rapid domain rotation to evade detection and blacklisting. Attackers script DNS record creation and switching via command-line DNS management tools, making infrastructure appear to change frequently while maintaining control over the same underlying host. This behavior is categorized as CLI-driven infrastructure manipulation to confuse defenders and avoid signature-based blocking.

BData staging

Data staging refers to the aggregation and temporary storage of stolen data on a compromised system or intermediate server prior to exfiltration, not domain configuration or rotation.

CUnspecified proxy activities

Unspecified proxy activities involve routing attack traffic through proxy servers or intermediaries to obscure the origin IP address, which is distinct from configuring multiple domains to resolve to the same host.

DUse of DNS tunneling

DNS tunneling encodes command-and-control communications or data within DNS query and response packets to bypass network monitoring, which is different from creating multiple pointing domains to evade detection.

Concept tested: Adversary use of multiple domains for detection evasion

Source: https://attack.mitre.org/techniques/T1059/

Topics

#fast-flux DNS#domain rotation#detection evasion#C2 infrastructure

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice