The correct answer is B. NTP Enumeration because the indicators and the data obtained match enumeration of the Network Time Protocol (NTP) service, which commonly runs on UDP port 123. In CEH-aligned reconnaissance and enumeration concepts, attackers often enumerate exposed services to learn configuration and internal details that can assist with follow-on attacks. When NTP is reachable from untrusted networks and is misconfigured (or supports certain query modes), it can leak information about the time server's peers, synchronization status, and operational metrics such as offset and delay-exactly the attributes described in the scenario.
The prompt also notes that Joe can gather internal hostnames and client IP addresses connected to the time server. This aligns with how NTP can reveal associated systems and relationships: time servers often have multiple internal clients, upstream peers, or configured associations. Queries that expose peer/association information can unintentionally disclose internal naming conventions, IP address ranges, and network structure-valuable intelligence for an attacker conducting mapping and target selection. In addition, time infrastructure is frequently centralized, so enumerating it can provide a hub-like view of the environment.
Why the other options are incorrect: DNS zone transfer enumeration is associated with DNS AXFR and typically yields DNS records such as subdomains and MX/CNAME entries-not NTP peers/offsets/delays and not UDP 123. VoIP enumeration targets telephony protocols and services (e.g., SIP) on different ports and would not center on time synchronization metrics. NetBIOS enumeration involves ports 137-139 and returns NetBIOS name and session information, not NTP operational data.
Therefore, the technique used to obtain peer, offset, delay, and connected client details from a UDP/123 time server is NTP enumeration.

A logic bomb is malware or malicious code that is deliberately planted within a system and configured to execute when a specific condition is met, such as a particular date and time, a user action, or the presence or absence of a file. CEH materials describe logic bombs as condition-based triggers that can remain dormant for extended periods, producing minimal indicators until the trigger occurs. The most decisive clue in this scenario is the "scheduled task set to a specific date," followed by abnormal behavior that appears only after that date passes. This is a textbook trigger mechanism used to activate malicious actions while avoiding early detection.
The "odd email from an unfamiliar source" suggests an initial delivery or social engineering vector, but the core behavior is the delayed activation. The later "faint increase in network activity only after the scheduled date passed" aligns with a logic bomb executing a payload such as beaconing, data exfiltration, or enabling remote access. The "unusual code traces on a dormant workstation" further supports the idea of implanted code that was inactive until triggered.
Fileless malware emphasizes execution in memory using legitimate tools such as PowerShell or WMI and is defined more by its living-off-the-land technique than by a date-based trigger. An APT describes a broader campaign style involving long-term, multi-stage intrusion, not a single defining trigger artifact. Ransomware is characterized by encryption and extortion behavior, which is not described. Therefore, the threat is best characterized as a logic bomb.

The correct answer is Spearphone Attack. CEH mobile platform coverage describes Spearphone as a side- channel attack in which motion sensors, such as accelerometers or gyroscopes, are abused to infer or reconstruct audio from vibrations produced by a phone's loudspeaker. A key feature of this technique is that it may not require direct microphone access, which helps explain why no microphone permission changes or visible recording indicators appeared on the device. That detail is central to the scenario. The installed app continuously collected motion sensor data while speakerphone conversations occurred, and the information was later analyzed remotely to reconstruct acoustic content. That behavior is a textbook match for Spearphone. Android camera hijack attacks involve camera access, not speaker vibration analysis. Camfecting refers to webcam compromise, and Storm Breaker Abuse does not describe this sensor-based audio inference method. CEH materials use this example to show that seemingly low-risk sensors can still create serious privacy and espionage threats when correlated with physical effects such as sound-induced vibration. Because the attack depends on speaker-generated motion data rather than direct audio recording, Spearphone is the best answer.

Once the base DN is identified through LDAP namingContexts, CEH teaches that the next step in enumeration is to query the directory tree using this DN. This allows retrieval of users, groups, computers, and other AD objects. LDAP-based enumeration requires valid search filters rooted in the base DN.

Pretexting is defined in CEH v13 Social Engineering as an attack where the attacker fabricates a believable scenario and impersonates a trusted individual to gain sensitive information.
This differs from phishing (mass messaging), baiting (malicious incentives), and quid pro quo (exchange of favors).