The correct answer is B. Password Spraying because the pattern described is the defining behavior of a spraying attack: the attacker tries a small set of common or likely passwords (for example, seasonal passwords, default patterns, or organization-themed guesses) across many different user accounts, using only a few attempts per account to avoid account lockout thresholds. The scenario explicitly states that "many accounts each receive only a few login attempts," the attacker "reuses a very small set of likely credentials across a large number of accounts," and the activity is "spread out over several days and IP ranges to avoid triggering automated lockouts." These are the exact operational traits that distinguish password spraying from traditional brute force.
In CEH-aligned credential attack concepts, brute force is typically characterized by repeated attempts against a single account (or a small set of accounts), often cycling through many password candidates until the correct one is found. That approach is noisy and quickly triggers lockouts and detection. Password spraying flips the strategy: it keeps the per-account attempt count low and distributes attempts widely and slowly, which reduces alerting and lockout events. This is why the attacker was able to successfully access "several low- privilege accounts" before the pattern was noticed-spraying often compromises accounts with weak or reused passwords while staying below detection thresholds.
Why the other options are incorrect: Session hijacking involves stealing or replaying session tokens/cookies after authentication, not repeated login attempts across accounts. CSRF forces a logged-in user's browser to perform unintended actions; it does not produce distributed authentication failures in logs. Brute force is related, but the avoidance of lockouts through minimal attempts per account and broad targeting is the signature of password spraying.
Therefore, the observed behavior most clearly indicates a password spraying attack.

This scenario describes steganographic sniffing, a highly sophisticated technique covered in CEH v13 Network Sniffing and Steganography. By embedding sensitive data inside legitimate image files-such as CT scans-attackers can intercept or exfiltrate patient information while avoiding detection.
Option D represents a steganography-based covert channel, which is extremely difficult to identify because:
* The file appears legitimate
* Standard encryption and IDS tools do not flag it
* Medical images naturally contain large data volumes
Options A and B involve malware, which is more detectable. Option C involves text-based covert channels, which are easier to analyze than binary image embedding.
CEH v13 identifies steganography as one of the hardest data-hiding techniques to detect, making Option D correct.

The capability described-administrators instantly provisioning servers, storage, and compute through a web portal without needing the provider to manually intervene-is the NIST cloud characteristic called on-demand self-service. In NIST's cloud computing model, on-demand self-service means a consumer can unilaterally provision computing capabilities (such as server time and network storage) as needed automatically, without requiring human interaction with each service provider.
The scenario explicitly highlights that the admins can scale resources "instantly" through a dashboard and that there is "no manual involvement from the cloud provider." That is exactly what on-demand self-service captures: rapid provisioning driven by the customer through automated orchestration and APIs/portals.
Why the other options are not the best match:
Broad network access (D) means cloud capabilities are available over the network and accessed through standard mechanisms by heterogeneous platforms (mobile, laptops, workstations). While the dashboard is accessed over the network, broad access is about reachability and standard access mechanisms, not the self- provisioning behavior.
Resource pooling (C) refers to the provider's multi-tenant model where physical/virtual resources are pooled and dynamically assigned; it explains how the provider can offer elasticity, but the user-facing "provision it yourself" aspect is on-demand self-service.
Measured service (B) refers to metering and monitoring resource usage for billing/optimization; it doesn't explain instant self-provisioning.
Therefore, the characteristic is A. On-demand self-service.

According to the CEH IDS/IPS module, false positives occur when legitimate activity is incorrectly flagged as malicious. The most common cause is overly sensitive IDS rules or thresholds.
Option D correctly identifies this issue.
Option A describes the symptom, not the root cause.
Option B is unrelated to IDS alert behavior.
Option C can cause missed detections, not excessive alerts.
CEH recommends proper tuning and baseline profiling.

The defense described-keeping user inputs separate from the SQL statement and binding them as fixed values before execution-is the defining characteristic of parameterized queries (prepared statements). This is one of the most effective and widely recommended countermeasures against SQL injection because it prevents attacker input from being interpreted as SQL code.
In a vulnerable application, developers often build SQL statements by concatenating strings, such as " SELECT ... WHERE user= ' " + input + " ' " . In that pattern, malicious payloads can alter the query structure (adding conditions, UNIONs, comments, or stacked queries). With prepared statements, the SQL engine receives the query structure first (the template), and then receives the parameter values separately. The database treats the parameters strictly as data, not executable SQL. As a result, even if an attacker submits quotes, keywords, or operators, those characters remain part of the parameter value and cannot change the query's logic.
The scenario specifically says inputs are "bound as fixed values," which is direct language associated with parameter binding. That makes option D the best answer.
Why the other options are less accurate:
User input validation (A) is helpful but can be bypassed and is not as robust as parameterization; also the described mechanism is not validation but binding separation.
Restrict database access (B) is a defense-in-depth measure (least privilege) that reduces impact, but it does not inherently stop injection from occurring.
Encoding the single quote (C) is a legacy/insufficient approach; encoding or escaping can be error-prone and DBMS-specific, and it does not match the description of parameters being bound separately.
Therefore, the application is using D. Use parameterized queries or prepared statements.