CEH v13 describes Cross-Site Request Forgery (CSRF) as a technique that forces authenticated users to unknowingly execute actions within a web application without their intent. Unlike session hijacking methods that require stealing or replaying session cookies, CSRF exploits the trust relationship that the server has with a user's browser. Even with HTTPS, secure cookies, and MFA, once a user is authenticated, the browser automatically sends session cookies with each request. If the attacker convinces the victim to load a maliciously crafted webpage or URL, the browser sends a forged request to the target application, executing actions under the user's authenticated session. CEH notes that secure cookies and MFA do not stop CSRF because no credentials are stolen-only forced actions occur. This technique is sophisticated because it leaves minimal traces, avoids direct cookie manipulation, bypasses robust authentication mechanisms, and leverages design weaknesses rather than technical misconfigurations. Protection typically requires anti-CSRF tokens and proper origin validation.

WPA with TKIP suffers from vulnerabilities inherited from WEP, particularly the use of weak Initialization Vectors (IVs). CEH v13 explains that these weaknesses allow attackers to perform packet injection and partial decryption attacks.
Although WPA improved upon WEP, TKIP was designed as a temporary solution and still relies on predictable IV behavior. This makes Option C correct.
Lack of AES (Option A) explains why WPA is weaker than WPA2 but does not directly describe the exploit mechanism. Weak passwords (Option D) affect authentication, not packet injection. GTK predictability (Option B) is relevant but not the primary cause here.
CEH v13 explicitly states that IV reuse and predictability in TKIP enable practical attacks. Therefore, Option C is correct.

In CEH v13, IDS effectiveness is closely tied to proper signature tuning and sensitivity thresholds. When IDS alerts are triggered by legitimate user behavior, the most common cause is overly sensitive configuration, resulting in false positives.
False positives occur when normal traffic patterns match intrusion signatures. CEH v13 emphasizes that IDS systems must be calibrated to the organization's baseline traffic profile. Without tuning, IDS logs become noisy and reduce analyst effectiveness.
Firewall issues (Option A) and outdated IDS signatures (Option B) can cause missed detections, not excessive alerts. Users unintentionally triggering protocols (Option D) is not a root cause but a symptom of misconfiguration.
Thus, excessive IDS sensitivity is the correct explanation.

The persistence described-"automatically launch every time the system is restarted" with no user interaction-most commonly aligns with Registry Run keys on Windows. Run keys are a classic persistence mechanism where an attacker adds a value referencing their executable to locations such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run (per-user) or HKLM\Software\Microsoft\Windows\CurrentVersion\Run (system-wide). When Windows starts (and/or when a user logs in, depending on the key), the operating system processes these entries and launches the referenced program automatically. This provides reliable persistence across reboots and is frequently used because it is simple, effective, and blends with legitimate startup entries.
The scenario indicates Meera placed a binary in a hidden directory and configured it to auto-launch after restarts. Registry-based autoruns fit that exact pattern: the binary can reside anywhere (including a hidden folder), while the registry entry points to it. The persistence survives reboot and does not require the attacker to be present.
Why the other options are less likely given the phrasing:
Startup Folder (C) can also auto-launch programs, but it commonly implies a shortcut or executable placed in the user's startup directory and is generally tied to user logon behavior. The question emphasizes "every time the system is restarted" and is most often tested in CEH contexts as registry autorun persistence.
Scheduled Tasks (A) can run at startup or on triggers and is a valid persistence technique, but the scenario does not mention task scheduling, triggers, or task configuration.
Creating a new service (B) would typically imply installing a Windows service, often requiring elevated privileges and presenting as a managed service; the scenario frames it as a lightweight binary planted and configured to auto-launch, which aligns more naturally with Run keys.
Therefore, the most likely persistence technique is D. Registry run keys.

The scenario describes a program that appears legitimate (a software update installer that "functions normally") while secretly placing additional malicious components onto the system, which later execute to establish remote access. That is the defining behavior of a dropper. A dropper's primary role is to deliver (drop) malware payloads onto a host-writing files to disk or unpacking embedded components-often while disguising itself as a benign application. The malicious components may then be executed immediately or staged for later activation to reduce suspicion and increase persistence.
This differs from a downloader, which typically contains minimal payload and focuses on contacting a remote server to fetch malware after initial execution. In this case, the description emphasizes that "additional malware components are silently placed on the system," implying the payload is being installed/deposited locally by the initial program rather than primarily downloaded. An injector focuses on injecting code into another running process (process injection) to evade detection or run under another process context; it does not inherently describe the act of placing additional components as separate hidden files. A wrapper is a technique where a malicious program is bound or "wrapped" with a legitimate one so that both run; while wrappers can be used in trojanized installers, the question emphasizes the behind-the-scenes placement of additional components for later activation, which is the classic dropper behavior.
The key indicators are: (1) user executes an installer that appears normal, (2) hidden malware components are deposited without the user's knowledge, and (3) those components later activate for remote access. That chain matches a dropper's purpose: stealthy malware delivery and staging.
Therefore, the correct answer is D. Dropper.