312-50V13 Question #226: Real Exam Question with Answer & Explanation

Question

Security administrator John Smith has noticed abnormal amounts of traffic coming from local computers at night. Upon reviewing, he finds that user data have been exfilltrated by an attacker. AV tools are unable to find any malicious software, and the IDS/IPS has not reported on any non- whitelisted programs, what type of malware did the attacker use to bypass the company's application whitelisting?

Options

• APhishing malware
• BZero-day malware
• CFile-less malware
• DLogic bomb malware

Explanation

File-less Malware Explanation

File-less malware (C) is correct because it operates entirely within a system's memory (RAM) and leverages legitimate, whitelisted tools (such as PowerShell, WMI, or built-in OS utilities) rather than installing executable files on disk - this is precisely why AV tools found nothing and the IDS/IPS didn't flag any non-whitelisted programs, as no unauthorized applications were ever written to the hard drive.

Why the distractors are wrong:

• A (Phishing) is an attack delivery method, not a type of malware that bypasses whitelisting
• B (Zero-day) exploits unknown vulnerabilities, but it would still likely leave detectable files that AV tools could eventually identify
• D (Logic bomb) is dormant malware triggered by a specific condition; it still requires a file to be planted on the system, making it detectable by AV tools

💡 Memory Tip: Think of file-less malware as a "ghost in the machine" - it leaves no physical trace (no files on disk), lives only in memory, and haunts legitimate system processes. If a scenario mentions "nothing found on disk" + "AV missed it" + "whitelisting bypassed," always think file-less.

No community discussion yet for this question.