UDP scanning produces reliable "closed" results only when an ICMP Port Unreachable is returned. Silent responses indicate either open ports (no reply expected) or filtered ports (blocks dropping packets). CEH emphasizes that non-responses require retransmission or alternate verification techniques.

Maria most likely used fileless malware, because the scenario explicitly describes malicious activity that does not write a payload executable to disk and instead executes entirely in memory using PowerShell and process injection. In CEH-aligned malware classifications, fileless malware is characterized by leveraging legitimate system tools (often called "living off the land" utilities) such as PowerShell, WMI, cmd.exe, or scripting engines to execute attacker-controlled code without creating traditional malware files on the filesystem. Since many legacy antivirus solutions depend heavily on signature-based scanning of files on disk, purely memory- resident execution can reduce or eliminate typical AV detections and leave minimal artifacts in standard AV logs.
The description also mentions that after a reboot the system returns to normal, which strongly supports fileless behavior: if the attacker did not establish persistence (for example via registry run keys, scheduled tasks, services, or WMI event subscriptions), then the in-memory code and injected instructions would be cleared when memory is reset. The "abnormal spikes in resource usage" are consistent with malicious scripts running inside a trusted process context, where attackers may inject or reflectively load code to blend into normal operating activity and evade straightforward monitoring.
Why the other options are incorrect: a rootkit primarily focuses on stealth through deep system-level hiding (often kernel/driver-level) and is commonly associated with persistent concealment rather than "no disk footprint" PowerShell-only execution. A trojan is typically a malicious program masquerading as legitimate software and usually involves a delivered executable or application. Ransomware is defined by encrypting data and extorting payment, which is not described here.
Thus, the technique most consistent with the test is fileless malware executed via PowerShell and memory- only injection.

CEH v13 identifies ARP spoofing/poisoning as a primary MitM technique in local networks. In such attacks, a single IP address maps to multiple MAC addresses, indicating ARP table manipulation.
This anomaly allows attackers to intercept traffic between victims and gateways. Increased traffic or DNS activity may occur but are not definitive indicators. Thus, IP-to-MAC inconsistencies are the most reliable confirmation of MitM activity.

The correct answer is B. Launching SQL Injection Attacks because the scenario describes moving beyond merely locating inputs or detecting error behavior and into actively sending injection payloads that successfully alter query logic and change returned results. In a typical CEH-aligned SQL injection workflow, testers begin by identifying where user-controlled input enters the application (forms, URL parameters, cookies, headers), then perform basic tests to detect whether inputs affect backend SQL processing. Once a suspected injection point is found, the next step is to launch SQL injection attempts using crafted inputs designed to manipulate the query and demonstrate impact.
In this case, you "craft and submit multiple malicious inputs," and one payload "successfully manipulates the backend query," causing the application to return "additional appointment data that was not intended to be displayed." That outcome is a clear indicator that exploitation is underway: the injection is not hypothetical- it is functioning and changing the application's behavior in a way that reveals unauthorized data. This is characteristic of executing an SQL injection attack (in-band exploitation), such as using boolean logic manipulation (e.g., conditions that expand result sets) or other query-altering techniques. The emphasis is on the successful manipulation and unauthorized data exposure, which aligns with the attack execution phase.
Why the other options are less correct: Identifying Data Entry Paths would be earlier, when you locate the patient search field as a candidate parameter. Information Gathering and Vulnerability Detection generally refers to discovering and confirming the presence of weaknesses (often via initial probes, errors, or abnormal responses) rather than a confirmed payload that already returns unauthorized data. Database Enumeration is typically the follow-on step once exploitation is confirmed, where the tester extracts metadata such as database names, tables, columns, users, and versions. Here, you are demonstrating the injection's ability to retrieve extra records, which is the exploitation/attack-launch stage, not full enumeration yet.
Therefore, the step being performed is Launching SQL Injection Attacks.

CEH v13 explains that a keylogger is a type of spyware designed to capture user input covertly, often storing or transmitting captured data-such as passwords, emails, chat messages, and financial information-to an attacker. Keyloggers can be implemented as software, firmware, or hardware, and they operate silently in the background without affecting system performance, making them ideal for credential theft. CEH categorizes keyloggers under spying and monitoring malware frequently used in the System Hacking phase to escalate privileges or move laterally once credentials are harvested. Unlike rootkits, which hide processes, or ransomware, which encrypts files, a keylogger's main purpose is passive surveillance. CEH emphasizes how attackers deploy keyloggers post-compromise or use phishing/social engineering to trick victims into installing them. Their covert nature and ability to bypass traditional AV solutions by masquerading as legitimate processes make identifying them crucial during forensics and incident response activities.