ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
While investigating a potential compromise, you review several Amazon GuardDuty findings related to a Windows-based EC2 web server. The findings highlight repeated "PowerShell-related behavior" triggered through WMI event subscriptions, unexpected outbound connections to a known command-and-control (C2) domain, and the absence of any suspicious binaries after an exhaustive anti-malware scan of the instance's EBS volume. Based on these observations, which category of malicious code most likely explains the attacker's technique?
A polymorphic file-infecting virus that appends malicious code to executable files on the system volume
Fileless malware that operates exclusively in memory and leverages native PowerShell and WMI functionality
A kernel-mode rootkit that installs unauthorized drivers to conceal malicious processes from the OS
A ransomware variant that replaces the master boot record (MBR) and displays ransom notes at startup
The attacker's commands are executed from memory using legitimate administration tools (PowerShell via WMI) without creating or modifying files on disk. This is characteristic of fileless malware, which lives in memory and abuses built-in OS components to maintain persistence and communicate with C2 infrastructure, allowing it to evade traditional signature-based anti-virus scans that focus on files.
A polymorphic file-infecting virus would leave altered executables on disk; ransomware that overwrites the master boot record would be readily detected through modified disk sectors and ransom notes; a kernel-mode rootkit typically installs drivers or patches kernel structures, also leaving artifacts on disk or in driver lists. None of these align with the log-only, memory-resident activity GuardDuty observed, making fileless malware the best explanation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is fileless malware?
Open an interactive chat with Bash
How does Amazon GuardDuty detect fileless malware?
Open an interactive chat with Bash
What are WMI event subscriptions, and how can they be used in attacks?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .