Cybersecurity Quiz:

System Hacking Concepts

Instructions: Choose the best answer for each question.

1. Which of the following is NOT a typical goal of system hacking?

a) Access confidential data
b) Disrupt system functionality
c) Obtain a password for lateral movement
d) Improve the victim's security posture
Answer: d) Improve the victim's security posture

2. In the context of system hacking, what is the primary purpose of a

"payload"?
a) To identify system vulnerabilities
b) To establish initial access
c) To execute the desired malicious code
d) To encrypt confidential data
Answer: c) To execute the desired malicious code

3. Which stage of system hacking typically involves using kernel or

service flaws to gain higher permissions?
a) Gain access
b) Escalate privilege
c) Execute applications
d) Cover tracks
Answer: b) Escalate privilege

4. What is the primary difference between a "Bind Shell Payload" and a

"Reverse Shell Payload"?
a) Bind shells are encrypted, reverse shells are not.
b) Bind shells require the attacker to connect to the victim; reverse
shells cause the victim to connect to the attacker.
c) Reverse shells are always more stable than bind shells.
d) Bind shells are used for data exfiltration; reverse shells are for
privilege escalation.
Answer: b) Bind shells require the attacker to connect to the victim;
reverse shells cause the victim to connect to the attacker.

5. What is "Exploit Chaining"?

a) The process of encrypting an exploit to bypass detection.
b) Using a single, complex exploit to achieve multiple objectives.
c) Combining multiple exploits to form a larger, more complex
attack.
d) Distributing exploits across multiple attackers.
 Answer: c) Combining multiple exploits to form a larger, more
complex attack.

6. Which of the following vulnerabilities, exploited in 2022, primarily

affects Microsoft Exchange Server and allows an attacker to bypass
authentication?
a) ZeroLogon
b) Log4Shell
c) ProxyLogon
d) PetitPotam
Answer: c) ProxyLogon

7. The ZeroLogon vulnerability (CVE-2020-1472) is a cryptographic

flaw primarily affecting which part of the login process?
a) Initialization vector (IV) being set to all zeros.
b) Use of weak encryption algorithms.
c) Insufficient password length enforcement.
d) Lack of multi-factor authentication.
Answer: a) Initialization vector (IV) being set to all zeros.

8. What is the primary risk associated with the VMware vSphere client
vulnerability (CVE-2021-21972)?
a) Information disclosure
b) Denial of service
c) Remote code execution and privilege escalation
d) Cross-site scripting
Answer: c) Remote code execution and privilege escalation

9. Which of the following is a characteristic of the Log4Shell

vulnerability (CVE-2021-44228)?
a) It targets Windows operating systems exclusively.
b) It exploits a flaw in the JNDI lookup of the Apache Java logging
library Log4j.
c) It is a hardware-based exploit.
d) It requires physical access to the target system.
Answer: b) It exploits a flaw in the JNDI lookup of the Apache Java
logging library Log4j.

10. The PetitPotam vulnerability (CVE-2021-36942) targets

Windows Servers and leverages which attack type?
a) SQL Injection
b) Cross-Site Request Forgery
c) NTLM relay attacks against Active Directory Certificate Services
d) Buffer overflow
 Answer: c) NTLM relay attacks against Active Directory Certificate
Services

11. What is a "buffer overflow"?

a) A network congestion issue that slows down data transmission.
b) A condition where incoming data exceeds the allocated memory
size for an application's buffer.
c) An unauthorized access attempt to a database.
d) A type of denial-of-service attack that floods a server with
requests.
Answer: b) A condition where incoming data exceeds the allocated
memory size for an application's buffer.

12. Which of the following programming languages are MOST

vulnerable to buffer overflows due to their lack of default bounds-
checking?
a) Java and Python
b) C and C++
c) C# and Go
d) Ruby and JavaScript
Answer: b) C and C++

13. In a buffer overflow exploit, what is typically overwritten to

redirect program execution to malicious code?
a) User input data
b) The function's return address
c) System configuration files
d) Network packet headers
Answer: b) The function's return address

14. What is the "kernel" in an operating system?

a) The user interface component.
b) The core part that manages memory, schedules processes, and
handles device I/O.
c) The application layer that interacts with users.
d) The network communication module.
Answer: b) The core part that manages memory, schedules
processes, and handles device I/O.

15. What is the significance of "Ring 0" in the Intel CPU

architecture regarding privilege levels?
a) It is the least privileged ring where user applications run.
b) It is where device drivers operate.
c) It is the most privileged ring where the kernel runs.
 d) It is reserved for virtual machines.
Answer: c) It is the most privileged ring where the kernel runs.

16. Which of the following is a tool designed to enumerate missing

KBs and suggest exploits for Privilege Escalation vulnerabilities in
Windows?
a) Watson
b) Linux Exploit Suggester
c) Searchsploit
d) Metasploit
Answer: a) Watson

17. The "DirtyPipe" vulnerability (CVE-2022-0847) is a recent local

privilege escalation flaw affecting which operating system kernel?
a) Windows
b) macOS
c) Linux
d) FreeBSD
Answer: c) Linux

18. What is the primary impact of "Spectre" and "Meltdown"

catastrophic kernel exploits?
a) They allow remote code execution without user interaction.
b) They enable an application to access kernel memory, breaking
fundamental security assumptions.
c) They cause denial-of-service by flooding the network.
d) They are used for password cracking.
Answer: b) They enable an application to access kernel memory,
breaking fundamental security assumptions.

19. Which Kali Linux utility is used to search a local copy of the
exploit-db.com database for exploits?
a) msfconsole
b) nmap
c) searchsploit
d) wireshark
Answer: c) searchsploit

20. What is the primary purpose of "PSTools" in a Windows

environment?
a) To perform network vulnerability scanning.
b) To manage and troubleshoot systems, often remotely.
c) To crack passwords offline.
d) To analyze malware behavior.
Answer: b) To manage and troubleshoot systems, often remotely.
21. In Metasploit, what is the "Auxiliary" module category
primarily used for?
a) Exploiting vulnerabilities
b) Generating payloads
c) Scanning targets
d) Post-exploitation tasks
Answer: c) Scanning targets

22. When using Metasploit, what command is used to display the

available options for a selected exploit or payload?
a) info
b) show options
c) help
d) run
Answer: b) show options

23. What is the purpose of the set LHOST option when configuring
a reverse payload in Metasploit?
a) To specify the target's IP address.
b) To define the port on the victim machine.
c) To set the IP address of the listening attacker machine (handler).
d) To choose the type of payload.
Answer: c) To set the IP address of the listening attacker machine
(handler).

24. What is the "Meterpreter" payload in Metasploit?

a) A simple command-line shell.
b) A "gold standard" interactive shell with extensive post-
exploitation commands.
c) A payload that only allows data exfiltration.
d) A payload used exclusively for denial-of-service attacks.
Answer: b) A "gold standard" interactive shell with extensive post-
exploitation commands.

25. Which Meterpreter command is used to attempt to elevate the

current privilege to SYSTEM?
a) getuid
b) sysinfo
c) getsystem
d) hashdump
Answer: c) getsystem

26. What is the purpose of the migrate command in Meterpreter?

a) To move Meterpreter to a different, more stable running process
on the victim.
 b) To transfer files from the victim to the attacker.
c) To change the Meterpreter's IP address.
d) To restart the Meterpreter session.
Answer: a) To move Meterpreter to a different, more stable running
process on the victim.

27. What is a "keylogger"?

a) A device that encrypts keyboard input.
b) A software or hardware tool that records keystrokes.
c) A network monitoring tool.
d) A password cracking utility.
Answer: b) A software or hardware tool that records keystrokes.

28. Which of the following is a common defense mechanism

against keyloggers?
a) Using default passwords.
b) Disabling antivirus software.
c) Installing anti-spyware/anti-virus programs and keeping them
updated.
d) Opening suspicious emails.
Answer: c) Installing anti-spyware/anti-virus programs and keeping
them updated.

29. What is "spyware" primarily designed to do?

a) Encrypt user data for ransom.
b) Monitor and log user actions without their knowledge.
c) Block network traffic.
d) Optimize system performance.
Answer: b) Monitor and log user actions without their knowledge.

30. Which notorious "zero-click" spyware, developed by NSO

Group, can be covertly installed on mobile phones?
a) TrickBot
b) Agent Tesla
c) Pegasus
d) Zlob
Answer: c) Pegasus

31. What is "Netcat" often referred to as in the hacking

community?
a) The "Swiss Army Knife" of hacking tools.
b) The "Master Exploit Framework."
c) The "Ultimate Password Cracker."
d) The "Network Defender."
Answer: a) The "Swiss Army Knife" of hacking tools.
32. In Netcat, what is the primary difference between "Client
Mode" and "Listener Mode"?
a) Client mode transfers files; Listener mode performs port
scanning.
b) Client mode initiates the connection; Listener mode waits for an
incoming connection.
c) Listener mode is used for Windows; Client mode is for Linux.
d) Client mode is for encrypted communication; Listener mode is for
clear text.
Answer: b) Client mode initiates the connection; Listener mode
waits for an incoming connection.

33. What is "TCP Banner Grabbing" used for with Netcat?

a) To establish a persistent backdoor.
b) To transfer files between systems.
c) To identify the service and version running on a target port.
d) To create a reverse shell.
Answer: c) To identify the service and version running on a target
port.

34. What is the main security implication of a "Null Session" in

Windows?
a) It allows remote code execution.
b) It enables anonymous enumeration of system information, users,
groups, and shares.
c) It creates a persistent backdoor that is difficult to remove.
d) It encrypts all network traffic.
Answer: b) It enables anonymous enumeration of system
information, users, groups, and shares.

35. Where are local user credentials primarily stored in a Windows

computer?
a) In the Registry Editor.
b) In the %systemroot%\System32\config\SAM file.
c) In the Users folder.
d) In the Program Files directory.
Answer: b) In the %systemroot%\System32\config\SAM file.

36. What is the "Relative ID" (RID) in a Windows Security Identifier

(SID)?
a) The unique identifier for the computer.
b) The part of the SID that distinguishes accounts with the same
name on different computers.
c) The timestamp of account creation.
d) The encryption key for the account.
 Answer: b) The part of the SID that distinguishes accounts with the
same name on different computers.

37. What is the primary difference between LM and NT hashes in

Windows?
a) LM hashes are case-sensitive; NT hashes are not.
b) LM hashes are unsalted and use a fixed 56-bit DES encryption; NT
hashes are unsalted MD4.
c) NT hashes are always longer than LM hashes.
d) LM hashes are used for network authentication; NT hashes are for
local logins.
Answer: b) LM hashes are unsalted and use a fixed 56-bit DES
encryption; NT hashes are unsalted MD4.

38. Which authentication protocol is known for its "challenge-

response" mechanism and its vulnerability to "Pass the Hash"
attacks due to unsalted password hashes?
a) Kerberos v5
b) NTLM
c) OAuth
d) OpenID Connect
Answer: b) NTLM

39. Where are Linux user accounts and their associated password
hashes typically stored, respectively?
a) /var/log/messages and /var/log/secure
b) /etc/passwd and /etc/shadow
c) /home and /root
d) /usr/bin and /usr/local
Answer: b) /etc/passwd and /etc/shadow

40. What is the primary characteristic of "brute force" password

attacks?
a) They use a dictionary of common passwords.
b) They try every possible combination of characters until the
password is found.
c) They exploit a software vulnerability to bypass authentication.
d) They intercept passwords from network traffic.
Answer: b) They try every possible combination of characters until
the password is found.

41. What is a "Rainbow Table" used for in password cracking?

a) To generate new passwords.
b) To store clear-text passwords.
c) To store pre-computed hashes, speeding up the cracking process.
 d) To encrypt password files.
Answer: c) To store pre-computed hashes, speeding up the cracking
process.

42. What is "Password Spraying"?

a) Trying many passwords against a single account.
b) Trying a single password against many accounts.
c) Using a rainbow table to crack multiple hashes.
d) Distributing password cracking tasks across multiple machines.
Answer: b) Trying a single password against many accounts.

43. Which of the following tools is an advanced password recovery

utility that leverages GPU processing for cracking?
a) John the Ripper
b) Ophcrack
c) Hashcat
d) Cain & Abel
Answer: c) Hashcat

44. What is "Pass the Hash"?

a) An attack where the attacker steals clear-text passwords from
memory.
b) An attack where the attacker steals hashed user credentials and
uses the hash directly for authentication without cracking the
password.
c) An attack that encrypts password hashes.
d) An attack that modifies the password hash in the SAM database.
Answer: b) An attack where the attacker steals hashed user
credentials and uses the hash directly for authentication without
cracking the password.

45. What is "Privilege Escalation"?

a) Gaining initial access to a system.
b) Exploiting a bug or configuration oversight to execute code at a
higher privilege level.
c) Stealing user credentials from a database.
d) Disrupting network services.
Answer: b) Exploiting a bug or configuration oversight to execute
code at a higher privilege level.

46. What is "Pivoting" in the context of system hacking?

a) Changing the target system's IP address.
b) Using a compromised machine to gain access to an otherwise
inaccessible private network or service.
c) Recovering deleted files from a compromised system.
 d) Encrypting network traffic to avoid detection.
Answer: b) Using a compromised machine to gain access to an
otherwise inaccessible private network or service.

47. What is an "Alternate Data Stream" (ADS) in NTFS?

a) A backup copy of a file.
b) A hidden "stream" of data attached to a primary file, used to hide
information.
c) A network share for file transfers.
d) A temporary file created by the operating system.
Answer: b) A hidden "stream" of data attached to a primary file,
used to hide information.

48. What is "Steganography"?

a) The art and science of encrypting messages.
b) The art and science of hiding information by embedding
messages within other, seemingly harmless messages.
c) The process of analyzing network traffic.
d) The technique of bypassing firewalls.
Answer: b) The art and science of hiding information by embedding
messages within other, seemingly harmless messages.

49. Which of the following is NOT a common method for hiding

files and data on a compromised system?
a) Using file attributes (e.g., hidden flag).
b) Storing data in Alternate Data Streams (ADS).
c) Renaming files with a .exe extension.
d) Using steganography.
Answer: c) Renaming files with a .exe extension.

50. What is the primary purpose of "Covering Tracks" in system

hacking?
a) To encrypt all exfiltrated data.
b) To remove or falsify logs and artifacts to avoid detection.
c) To establish persistent access to the system.
d) To perform a comprehensive vulnerability scan.
Answer: b) To remove or falsify logs and artifacts to avoid
detection.

Introduction to Malware

Instructions: Choose the best answer for each question.

1. Which of the following best defines "malware"?

a) Any software that helps optimize computer performance.
 b) A file, program, or code string used for malicious activity like
damaging devices or stealing data.
c) Software designed to protect against cyber threats.
d) A legitimate program that requires user consent to install.
Answer: b) A file, program, or code string used for malicious
activity like damaging devices or stealing data.

2. Malware is typically classified by its:

a) File size and creation date.
b) Payload or malicious action it performs.
c) Programming language used.
d) Developer's country of origin.
Answer: b) Payload or malicious action it performs.

3. Which malware component is responsible for using encryption and

obfuscation to make the malware difficult to detect?
a) Dropper
b) Payload
c) Cryptor
d) Injector
Answer: c) Cryptor

4. What is the primary function of a "Dropper" or "Stager" malware

component?
a) To perform the main malicious activity directly.
b) To establish an initial foothold and then download the bulk of the
malware.
c) To encrypt user files for ransom.
d) To hide the malware within legitimate processes.
Answer: b) To establish an initial foothold and then download the
bulk of the malware.

5. What is the common misconception regarding malware and viruses?

a) All malware is a worm.
b) All viruses are ransomware.
c) All malware is a virus.
d) All exploits are malware.
Answer: c) All malware is a virus.

6. Which type of malware is self-replicating and can spread

independently without human intervention?
a) Virus
b) Trojan
c) Worm
 d) Adware
Answer: c) Worm

7. A program that takes advantage of a specific weakness

(vulnerability) in a system is called an:
a) Exploit
b) Payload
c) Rootkit
d) Wrapper
Answer: a) Exploit

8. Which of the following is a method by which malware can get onto

systems?
a) Black hat Search Engine Optimization (SEO) manipulation.
b) Legitimate software updates.
c) Using a secure VPN.
d) Encrypting network traffic.
Answer: a) Black hat Search Engine Optimization (SEO)
manipulation.

9. What is a "Drive-by Download"?

a) A file downloaded intentionally by the user from a trusted
website.
b) Malware installed by exploiting browser software flaws just by
visiting a webpage.
c) Software installed via infected removable media.
d) A malicious email attachment that the user clicks.
Answer: b) Malware installed by exploiting browser software flaws
just by visiting a webpage.

10. Which of these is an indicator of malware infection?

a) Computer running faster than usual.
b) Browser window or apps freezing frequently.
c) Increased available hard drive space.
d) Regular system updates.
Answer: b) Browser window or apps freezing frequently.

11. A virus that inserts or attaches itself to a legitimate program

or document to execute its code is typically transmitted through:
a) Direct network connections.
b) File downloads, infected removable disk drives, flash drives, and
email attachments.
c) Cloud-based services.
d) Hardware vulnerabilities.
 Answer: b) File downloads, infected removable disk drives, flash
drives, and email attachments.

12. What is the primary characteristic of a "Transient Virus"?

a) It loads itself into memory and stays there.
b) It encrypts files on the system.
c) It disappears after running.
d) It infects multiple file types.
Answer: c) It disappears after running.

13. Which virus type modifies directory table entries to point

users or system processes to the virus code rather than the actual
application?
a) Boot Sector Virus
b) File Virus
c) Multipartite Virus
d) Cluster Virus
Answer: d) Cluster Virus

14. What is a "Macro Virus" typically written in?

a) C++
b) Python
c) Visual Basic for Applications (VBA)
d) Java
Answer: c) Visual Basic for Applications (VBA)

15. A "Cavity Virus" is also known as a:

a) Boot Sector Virus
b) File Overwriting Virus
c) Macro Virus
d) Compression Virus
Answer: b) File Overwriting Virus

16. Which self-hiding virus takes advantage of a user convenience

feature that hides common file extensions for known file types (e.g.,
goodfile.txt.exe)?
a) Cavity Virus
b) File Extension Virus
c) Shell Virus
d) Stealth Virus
Answer: b) File Extension Virus

17. A "Polymorphic Virus" is characterized by its ability to:

a) Only infect files of a certain size.
b) Mutate while keeping the original algorithm intact, making it hard
to detect via signatures.
 c) Infect both boot sectors and files.
d) Compress itself to evade detection.
Answer: b) Mutate while keeping the original algorithm intact,
making it hard to detect via signatures.

18. What is the primary method used by a "Stealth/Tunneling

Virus" to evade antivirus software?
a) Encrypting its code.
b) Intercepting requests to the operating system and returning an
uninfected version of the file.
c) Changing its file extension.
d) Spreading only on specific network protocols.
Answer: b) Intercepting requests to the operating system and
returning an uninfected version of the file.

19. Which recent worm example searched for Windows machines

vulnerable to EternalBlue buffer overflow and installed WannaCry
ransomware?
a) Code Red II
b) Morris
c) Conficker
d) WannaCry ransomware worm
Answer: d) WannaCry ransomware worm

20. What is a "Trojan" (Trojan Horse)?

a) A self-replicating program that spreads independently.
b) A malicious program hidden inside another seemingly legitimate
program.
c) A program that encrypts user files.
d) A program that records keystrokes.
Answer: b) A malicious program hidden inside another seemingly
legitimate program.

21. Which type of Trojan typically provides an attacker with a

complete graphic user interface (GUI) access to the target computer
remotely?
a) Defacement Trojan
b) FTP Trojan
c) Remote Access Trojan (RAT)
d) Proxy Server Trojan
Answer: c) Remote Access Trojan (RAT)

22. What is the primary function of a "Proxy Server Trojan"?

a) To deface websites.
b) To install an FTP server on the target.
 c) To allow a remote attacker to use the target computer as a proxy
to connect to the Internet.
d) To record screenshots and video.
Answer: c) To allow a remote attacker to use the target computer
as a proxy to connect to the Internet.

23. What is "ICMP Tunneling" primarily used for by Trojans?

a) To encrypt all network communications.
b) To carry a payload and silently access or control a target
computer using ICMP echo requests/replies.
c) To perform denial-of-service attacks.
d) To bypass physical security measures.
Answer: b) To carry a payload and silently access or control a target
computer using ICMP echo requests/replies.

24. "E-Banking Trojans" primarily aim to:

a) Infect mobile devices with ransomware.
b) Intercept a target's banking account information before it is
encrypted.
c) Perform distributed denial-of-service attacks.
d) Create backdoors for remote access to the operating system.
Answer: b) Intercept a target's banking account information before
it is encrypted.

25. What is a "Rootkit"?

a) Software that encrypts user files and demands payment.
b) Software put in place by an attacker to obscure system
compromise and hide processes/files.
c) A type of virus that infects boot sectors.
d) A program that displays unwanted advertisements.
Answer: b) Software put in place by an attacker to obscure system
compromise and hide processes/files.

26. Which level of rootkit replaces the boot loader with one
controlled by the hacker?
a) Application level
b) Kernel level
c) Boot loader level
d) Library level
Answer: c) Boot loader level

27. What is the primary challenge in detecting rootkits?

a) They only infect specific file types.
b) Their activities run at a very low level, often below antivirus
software.
 c) They require human intervention to spread.
d) They only operate on specific network ports.
Answer: b) Their activities run at a very low level, often below
antivirus software.

28. Which rootkit detection method compares all system

processes and executable files to a database with known rootkit
signatures?
a) Integrity-based
b) Heuristic/Behavior-based
c) Signature-based
d) Cross View-Based
Answer: c) Signature-based

29. What is the recommended way to clean a system infected

with a kernel-level rootkit?
a) Running an antivirus scan.
b) Performing a kernel memory dump analysis.
c) Completely wiping the hard drive and performing a clean OS
installation.
d) Installing a HIDS/HIPS.
Answer: c) Completely wiping the hard drive and performing a
clean OS installation.

30. What is "Fileless Malware"?

a) Malware that encrypts files on the system.
b) Malware that relies on legitimate programs to infect a computer
and leaves no footprint.
c) Malware that only exists as a physical device.
d) Malware that only infects executable files.
Answer: b) Malware that relies on legitimate programs to infect a
computer and leaves no footprint.

31. What is "Adware" primarily designed to do?

a) Steal sensitive personal information.
b) Automatically display advertisements online to generate revenue.
c) Encrypt user files for ransom.
d) Create backdoors for remote access.
Answer: b) Automatically display advertisements online to
generate revenue.

32. What is a "Logic Bomb"?

a) Malware that creates fake antivirus alerts.
b) Malware that executes a program when a certain event happens
or a date/time arrives.
 c) Malware that tracks browsing history.
d) Malware that floods internet connections.
Answer: b) Malware that executes a program when a certain event
happens or a date/time arrives.

33. "Cryptomining Malware" primarily utilizes compromised

machine resources for what activity?
a) Stealing personal data.
b) Mining cryptocurrency.
c) Displaying advertisements.
d) Performing DDoS attacks.
Answer: b) Mining cryptocurrency.

34. What is "Ransomware"?

a) Malware that installs a backdoor for remote access.
b) Malicious software designed to deny access to a computer until a
price is paid.
c) Malware that displays unwanted advertisements.
d) Malware that records keystrokes.
Answer: b) Malicious software designed to deny access to a
computer until a price is paid.

35. What is the typical encryption method used by ransomware to

encrypt files?
a) DES
b) AES 128-bit
c) RSA 1024 - 2048 public key
d) XOR
Answer: c) RSA 1024 - 2048 public key

36. What is the recommended action if your system is infected

with ransomware?
a) Immediately pay the ransom.
b) Keep a good backup instead of paying the ransom.
c) Try to decrypt files using online tools without a key.
d) Disconnect from the internet and do nothing.
Answer: b) Keep a good backup instead of paying the ransom.

37. What is a "Botnet"?

a) A single, highly sophisticated malware program.
b) A network of compromised "zombie" computers controlled by
Command and Control (C&C) servers.
c) A specialized tool for cracking passwords.
d) A legitimate network monitoring system.
 Answer: b) A network of compromised "zombie" computers
controlled by Command and Control (C&C) servers.

38. What is "Beaconing" in the context of botnets?

a) The process of infecting new machines.
b) The periodic connection of a zombie to its C&C server to check for
attack instructions.
c) The method used to encrypt C&C communications.
d) The distribution of spam emails from a botnet.
Answer: b) The periodic connection of a zombie to its C&C server to
check for attack instructions.

39. What is "Malware-as-a-Service" (MaaS)?

a) A cloud-based antivirus solution.
b) A service that provides botnets for hire.
c) A platform for malware analysis.
d) A tool for creating custom malware.
Answer: b) A service that provides botnets for hire.

40. What is the primary purpose of a "Cryptor" in malware

creation?
a) To generate new exploits.
b) To bundle multiple malware files into one executable.
c) To encrypt and obfuscate malware to bypass detection.
d) To deliver the final payload to the target.
Answer: c) To encrypt and obfuscate malware to bypass detection.

41. Which tool is commonly used to create Trojan

droppers/stagers/downloaders with built-in obfuscation features?
a) Netcat
b) Metasploit's msfvenom
c) Wireshark
d) Nmap
Answer: b) Metasploit's msfvenom

42. What is an "Exploit Kit"?

a) A collection of antivirus definitions.
b) A platform used to create and deliver exploits and payloads.
c) A tool for network traffic analysis.
d) A framework for reverse engineering malware.
Answer: b) A platform used to create and deliver exploits and
payloads.

43. Which technique is used to evade antivirus detection by

changing the malware's content using a hex editor or altering its
checksum?
 a) Encryption of the malware.
b) Breaking the malware file into multiple pieces.
c) Changing the malware's syntax.
d) All of the above.
Answer: d) All of the above.

44. What is "Behavioral Analysis" in virus detection approaches?

a) Comparing system files to a database of known signatures.
b) Monitoring the actions of installed programs for odd behaviors.
c) Using an online database for detection.
d) Infecting a system in a controlled environment.
Answer: b) Monitoring the actions of installed programs for odd
behaviors.

45. What is "Sandbox Analysis" in malware detection?

a) Scanning files for known signatures.
b) Deliberately infecting a system in a controlled environment to
monitor and record all actions.
c) Analyzing network traffic for suspicious patterns.
d) Comparing registry keys to a known good state.
Answer: b) Deliberately infecting a system in a controlled
environment to monitor and record all actions.

46. Which tool is primarily used to monitor real-time file system,

Registry, and process/thread activity in Windows?
a) TCPView
b) Process Monitor
c) CurrPorts
d) Nagios XI
Answer: b) Process Monitor

47. What is the purpose of scanning for suspicious device drivers?

a) To identify malware installed via untrusted drivers.
b) To check for outdated drivers.
c) To optimize driver performance.
d) To backup device drivers.
Answer: a) To identify malware installed via untrusted drivers.

48. What is the primary goal of "Cloud-based Antivirus" solutions?

a) To store all antivirus definitions locally on the user's device.
b) To provide access to a larger threat database without housing it
on the user's hard drive.
c) To only detect malware that is already known.
d) To require manual updates from the user.
 Answer: b) To provide access to a larger threat database without
housing it on the user's hard drive.

49. When performing malware analysis, what is "Static Analysis"?

a) Running the executable in a sandboxed environment.
b) Analyzing binaries without actually running them, looking at
metadata, strings, etc.
c) Monitoring network activity in real-time.
d) Observing malicious runtime behavior.
Answer: b) Analyzing binaries without actually running them,
looking at metadata, strings, etc.

50. What is "Sheep-dipping" in the context of malware detection?

a) A method for distributing malware across a network.
b) A pre-emptive effort to detect and clean malware in a sandboxed
environment before production deployment.
c) A technique for encrypting malware to bypass detection.
d) A process for reverse engineering malware.
Answer: b) A pre-emptive effort to detect and clean malware in a
sandboxed environment before production deployment.

Social Engineering Concepts & Techniques

Instructions: Choose the best answer for each question.

1. What is the core definition of "social engineering"?

a) The use of advanced hacking tools to bypass firewalls.
b) The psychological manipulation of people into divulging
confidential information or performing actions they shouldn’t do.
c) The process of encrypting sensitive data to prevent unauthorized
access.
d) The design of secure social media platforms.
Answer: b) The psychological manipulation of people into divulging
confidential information or performing actions they shouldn’t do.

2. Social engineers primarily exploit which human characteristic?

a) Their technical expertise.
b) Their awareness of information value and proper protection.
c) Their ability to detect malware.
d) Their resistance to authority.
Answer: b) Their awareness of information value and proper
protection.

3. Which of the following is NOT listed as a potential impact of a social

engineering attack on an organization?
 a) Financial loss
b) Increased market share
c) Loss of privacy
d) Potential terrorism
Answer: b) Increased market share

4. Which human motivation is exploited when an attacker creates a

sense of immediate need or importance to pressure a victim into
acting quickly?
a) Greed
b) Curiosity
c) Urgency
d) Helpfulness
Answer: c) Urgency

5. What is considered the "weakest link" in security policies, making

social engineering effective?
a) Technology limitations.
b) Human factors.
c) Budget constraints.
d) Lack of physical security.
Answer: b) Human factors.

6. In the phases of social engineering, what is the primary activity

during the "Developing Relationship" stage?
a) Gathering sensitive information.
b) Determining the most vulnerable employees.
c) Forming a relationship with target employees.
d) Researching the target organization's website.
Answer: c) Forming a relationship with target employees.

7. Which social engineering technique involves calling a victim and

pretending to be a trusted authority figure, such as IT support?
a) Pretexting
b) Impersonation
c) Quid-pro-quo
d) Tailgating
Answer: b) Impersonation

8. What is "Pretexting"?
a) Following an authorized person into a restricted area without their
knowledge.
b) Giving the victim a fake reason for requesting something from
them.
c) Offering a service in exchange for information.
 d) Overlaying an invisible HTML element on a webpage.
Answer: b) Giving the victim a fake reason for requesting
something from them.

9. What is the key distinction between "Tailgating" and "Piggybacking"?

a) Tailgating involves physical force, while piggybacking uses
deception.
b) Tailgating is without the authorized person's knowledge;
piggybacking is with their consent (though deceived).
c) Tailgating is a remote attack, while piggybacking requires physical
presence.
d) Tailgating targets individuals, while piggybacking targets
organizations.
Answer: b) Tailgating is without the authorized person's knowledge;
piggybacking is with their consent (though deceived).

10. Which phishing variant specifically targets a high-value

person, such as a CEO or celebrity?
a) Vishing
b) Smishing
c) Spear Phishing
d) Whaling
Answer: d) Whaling

11. "Pharming" is a technique that redirects a user to a bogus

website mimicking a legitimate one, often performed through:
a) Sending fake emails with malicious attachments.
b) Modifying a HOSTS file or corrupting a DNS server/resolver cache.
c) Offering a reward for personal information.
d) Spying over a victim's shoulder.
Answer: b) Modifying a HOSTS file or corrupting a DNS
server/resolver cache.

12. What does "Clickjacking" involve?

a) Redirecting users to malicious websites via misspelled URLs.
b) Overlaying an invisible (malicious) HTML element on top of a web
page.
c) Sending pre-recorded voice messages to pressure victims.
d) Stealing RFID card information.
Answer: b) Overlaying an invisible (malicious) HTML element on top
of a web page.

13. Which social engineering attack promises the victim a reward,

often using innocent-looking hardware to entice them?
a) Ransomware
 b) Fake Malware
c) Baiting
d) Shoulder Surfing
Answer: c) Baiting

14. What is "Dumpster Diving"?

a) Searching through online databases for sensitive information.
b) Going through someone's trash to find discarded, but still
valuable/sensitive information.
c) Using a mobile device to spy on someone from a distance.
d) Exploiting software vulnerabilities to gain access.
Answer: b) Going through someone's trash to find discarded, but
still valuable/sensitive information.

15. What is "URL Hijacking" also known as?

a) Pharming
b) Water-holing
c) Typosquatting
d) Clickjacking
Answer: c) Typosquatting

16. Which social engineering technique involves scattering

compromised USB sticks where users will find them, hoping they will
plug them into their machines?
a) RFID Skimming
b) USB Stick Baiting
c) USB Cable Baiting
d) Water-holing
Answer: b) USB Stick Baiting

17. What is the primary characteristic of "Hoaxes" in non-phishing

attacks?
a) They offer get-rich-quick schemes.
b) They are intended to elicit fear, anger, or seem important to trick
users into action.
c) They flood user inboxes with unsolicited mail.
d) They encourage individuals to follow a link by offering a product.
Answer: b) They are intended to elicit fear, anger, or seem
important to trick users into action.

18. What is a "Cognitive Password attack"?

a) An attack that brute-forces passwords using a dictionary.
b) A knowledge-based authentication attack that leverages publicly
available personal information.
c) An attack that intercepts password hashes from network traffic.
 d) An attack that uses a keylogger to capture passwords.
Answer: b) A knowledge-based authentication attack that
leverages publicly available personal information.

19. What is "Identity Theft"?

a) The act of stealing a computer to gain access to data.
b) A crime in which one person steals another person's name and
personal information to commit fraud.
c) The process of impersonating an IT administrator.
d) The unauthorized access to a social media account.
Answer: b) A crime in which one person steals another person's
name and personal information to commit fraud.

20. Which of the following is a countermeasure against identity

theft?
a) Clicking on suspicious links in emails.
b) Sharing all personal information on social media.
c) Subscribing to a reputable identity theft protection service.
d) Using public Wi-Fi for financial transactions.
Answer: c) Subscribing to a reputable identity theft theft protection
service.

21. An "insider threat" is defined as the potential for an insider to

use their authorized access or understanding of an organization to:
a) Improve company profits.
b) Harm the organization.
c) Conduct market research.
d) Develop new security policies.
Answer: b) Harm the organization.

22. Which of these is an indicator of a potential insider threat?

a) Consistent high performance appraisals.
b) Unexplained financial gain.
c) Regular working hours.
d) Agreement with company policies.
Answer: b) Unexplained financial gain.

23. Which of the following is a recommended social engineering

countermeasure for employees?
a) Giving out passwords via phone if asked by IT.
b) Consulting their manager if unsure what to do.
c) Disabling spam filters on email servers.
d) Allowing guests to roam freely onsite.
Answer: b) Consulting their manager if unsure what to do.
24. To counter phishing attacks, what should employees be
trained to examine in message headers?
a) The sender's name and email address only.
b) Phone numbers and actual sender information.
c) The length of the message.
d) The color scheme of the email.
Answer: b) Phone numbers and actual sender information.

25. What is the primary purpose of the "Social-Engineer Toolkit"

(SET)?
a) To perform network vulnerability scans.
b) To conduct advanced social engineering attacks against humans.
c) To analyze malware behavior.
d) To manage system configurations.
Answer: b) To conduct advanced social engineering attacks against
humans.

26. Which tool is used to create malicious USB sticks for USB
baiting?
a) PhishTank
b) Wifiphisher
c) Metasploit Framework/msfvenom
d) SPF SpeedPhish framework
Answer: c) Metasploit Framework/msfvenom

27. What is "ZitMo" (ZeuS-in-the-Mobile)?

a) A mobile game with hidden malware.
b) Banking malware ported to Android.
c) A tool for social media analysis.
d) A type of fileless malware.
Answer: b) Banking malware ported to Android.

28. What is the best defense against insider threats?

a) Implementing only technical controls.
b) Relying solely on employee background checks.
c) A holistic insider threat mitigation program including detection,
identification, assessment, and management.
d) Restricting all employee access to company resources.
Answer: c) A holistic insider threat mitigation program including
detection, identification, assessment, and management.

29. What is the main advice for users regarding social media to
counter social engineering?
a) To accept all friend requests to expand their network.
b) To post as much personal information as possible to build trust.
 c) To treat unexpected messages and posts with caution and
optimize privacy settings.
d) To automatically trust all social media ads and groups.
Answer: c) To treat unexpected messages and posts with caution
and optimize privacy settings.

30. In the context of social engineering, what does "Human

Motivation" refer to?
a) The attacker's reason for launching an attack.
b) The psychological triggers that make individuals susceptible to
social engineering tactics.
c) The organizational goals for improving security.
d) The technological advancements in social engineering tools.
Answer: b) The psychological triggers that make individuals
susceptible to social engineering tactics.