1. What is the key characteristic of fileless malware?
A) It does not require an internet connection
B) It operates entirely in memory without writing files to disk
C) It targets only mobile devices
D) It infects only system boot sectors
β
Answer: B) It operates entirely in memory without writing files to disk
π‘ Explanation: Fileless malware resides in the systemβs memory (RAM) and does not create traditional files on disk, making it harder for traditional antivirus solutions to detect.
2. Which of the following attack techniques is commonly used in fileless malware?
A) Macro-based attacks
B) Distributed Denial of Service (DDoS)
C) Physical hardware tampering
D) SQL Injection
β
Answer: A) Macro-based attacks
π‘ Explanation: Attackers often use macros in Microsoft Office documents to execute malicious code directly in memory, a common method for delivering fileless malware.
3. Fileless malware often abuses which Windows feature to execute malicious code?
A) Windows Registry
B) Task Manager
C) Notepad
D) Windows Screensaver
β
Answer: A) Windows Registry
π‘ Explanation: Fileless malware can store malicious payloads in the Windows Registry and execute them later using system processes.
4. What is the primary reason fileless malware is difficult to detect?
A) It spreads only via Bluetooth
B) It does not create any executable files on disk
C) It always requires administrator privileges
D) It uses brute force techniques
β
Answer: B) It does not create any executable files on disk
π‘ Explanation: Since fileless malware operates in RAM and does not leave artifacts on the file system, traditional signature-based antivirus tools struggle to detect it.
5. Which legitimate Windows tool is frequently abused by fileless malware?
A) Windows Defender
B) PowerShell
C) Task Scheduler
D) Paint
β
Answer: B) PowerShell
π‘ Explanation: PowerShell is commonly used in fileless malware attacks due to its ability to execute scripts directly in memory without creating files.
6. Fileless malware is often delivered through which method?
A) Email phishing
B) DNS cache poisoning
C) ARP spoofing
D) Physical USB injection
β
Answer: A) Email phishing
π‘ Explanation: Attackers use phishing emails to trick users into enabling macros, executing malicious PowerShell scripts, or visiting malicious websites that execute code in memory.
7. Which of the following techniques is NOT typically used in fileless malware attacks?
A) DLL Injection
B) Memory-resident shellcode execution
C) Malicious email attachments
D) Creating .exe files on the hard drive
β
Answer: D) Creating .exe files on the hard drive
π‘ Explanation: Fileless malware avoids traditional executable files, making it harder for antivirus software to detect.
8. What is a common post-exploitation activity of fileless malware?
A) Dropping ransomware binaries on disk
B) Establishing a remote backdoor in RAM
C) Modifying BIOS firmware
D) Reformatting the hard drive
β
Answer: B) Establishing a remote backdoor in RAM
π‘ Explanation: Fileless malware often creates memory-resident backdoors to maintain persistence without writing files to disk.
9. What cybersecurity framework highlights the use of fileless malware techniques?
A) ISO 27001
B) MITRE ATT&CK
C) OWASP Top 10
D) COBIT
β
Answer: B) MITRE ATT&CK
π‘ Explanation: MITRE ATT&CK tracks various fileless malware tactics under techniques such as βPowerShell Executionβ and βProcess Injection.β
10. Which of the following is NOT a mitigation technique against fileless malware?
A) Disabling unnecessary PowerShell scripting
B) Enforcing strict application whitelisting
C) Using a hardware-based firewall
D) Regularly updating system patches
β
Answer: C) Using a hardware-based firewall
π‘ Explanation: While firewalls help block network-based attacks, they do not directly mitigate fileless malware, which operates within legitimate system processes.
11. Which Windows process is often hijacked by fileless malware for execution?
A) svchost.exe
B) calc.exe
C) notepad.exe
D) explorer.exe
β
Answer: A) svchost.exe
π‘ Explanation: Attackers often inject fileless malware into svchost.exe to execute malicious commands in memory.
12. What is the role of LOLBins (Living Off the Land Binaries) in fileless malware?
A) They are third-party security tools
B) They help attackers execute code using trusted system utilities
C) They disable all security software
D) They act as firewalls for attackers
β
Answer: B) They help attackers execute code using trusted system utilities
π‘ Explanation: LOLBins, like wmic.exe, mshta.exe, and powershell.exe, allow attackers to execute malicious commands stealthily.
13. Which logging tool can help detect fileless malware activity?
A) Task Manager
B) Windows Event Logs
C) Snipping Tool
D) Disk Cleanup
β
Answer: B) Windows Event Logs
π‘ Explanation: Windows Event Logs help track abnormal PowerShell, WMI, and script execution, which are indicators of fileless malware.
14. How does fileless malware achieve persistence?
A) Writing itself to a USB drive
B) Modifying registry keys
C) Disabling the computerβs power supply
D) Deleting Windows logs
β
Answer: B) Modifying registry keys
π‘ Explanation: Attackers use registry keys to store malicious payloads that execute every time the system starts.
15. Why is behavioral analysis more effective than signature-based detection for fileless malware?
A) It detects anomalies rather than looking for known signatures
B) It works faster than antivirus software
C) It prevents all cyberattacks
D) It scans the entire internet for threats
β
Answer: A) It detects anomalies rather than looking for known signatures
π‘ Explanation: Since fileless malware does not create traditional files, behavioral analysis helps identify suspicious activities instead of relying on known signatures.
16. What is a key sign of a fileless malware infection?
A) Sudden disappearance of desktop icons
B) High memory usage with no visible processes
C) Random blue screen errors
D) Corrupted boot sector
β
Answer: B) High memory usage with no visible processes
π‘ Explanation: Fileless malware operates in RAM, leading to increased memory consumption while hiding from traditional detection tools.
17. What type of attack can fileless malware facilitate?
A) Ransomware delivery
B) Hardware destruction
C) DNS spoofing
D) Physical device cloning
β
Answer: A) Ransomware delivery
π‘ Explanation: Fileless malware can download ransomware payloads directly into memory and execute them without being detected.
18. What security tool can help detect fileless malware in PowerShell scripts?
A) Windows Defender SmartScreen
B) AMSI (Antimalware Scan Interface)
C) Notepad++
D) Adobe Acrobat
β
Answer: B) AMSI (Antimalware Scan Interface)
π‘ Explanation: AMSI helps detect malicious scripts in PowerShell, even when obfuscated.
19. What is a PowerShell-based framework used for fileless attacks?
A) Metasploit
B) Empire
C) Wireshark
D) Burp Suite
β
Answer: B) Empire
π‘ Explanation: Empire is a post-exploitation framework that enables PowerShell-based fileless attacks.
20. Which of the following is a strong defense against fileless malware?
A) Disabling macros
B) Allowing unsigned scripts
C) Enabling Remote Desktop by default
D) Using outdated software
β
Answer: A) Disabling macros
π‘ Explanation: Disabling macros in Office documents prevents one of the most common fileless malware delivery methods.
21. Which of the following tools is commonly used to execute fileless malware through Windows Management Instrumentation (WMI)?
A) Mimikatz
B) PowerShell
C) Metasploit
D) Wmic.exe
β
Answer: D) Wmic.exe
π‘ Explanation: Attackers abuse wmic.exe (Windows Management Instrumentation Command-line) to execute fileless malware by running system commands stealthily.
22. Fileless malware can execute malicious code remotely using which of the following techniques?
A) SSH brute-force
B) Remote PowerShell execution
C) DNS amplification
D) ARP spoofing
β
Answer: B) Remote PowerShell execution
π‘ Explanation: Attackers often use PowerShell Remoting to execute commands and deploy fileless malware on remote machines.
23. Which advanced attack technique is used to run fileless malware by injecting code into legitimate processes?
A) DLL Sideloading
B) Process Hollowing
C) Credential Dumping
D) Watering Hole Attack
β
Answer: B) Process Hollowing
π‘ Explanation: Process hollowing involves replacing the memory of a legitimate process with malicious code, allowing malware to run undetected.
24. How do attackers use Reflective DLL Injection in fileless malware?
A) By embedding malware in a USB drive
B) By injecting a DLL into memory without writing it to disk
C) By embedding code in the Windows kernel
D) By infecting the Master Boot Record (MBR)
β
Answer: B) By injecting a DLL into memory without writing it to disk
π‘ Explanation: Reflective DLL Injection allows attackers to execute DLLs in memory without touching the disk, making detection difficult.
25. Which of the following Windows services is commonly targeted by fileless malware?
A) Spoolsv.exe
B) Winlogon.exe
C) Lsass.exe
D) Explorer.exe
β
Answer: C) Lsass.exe
π‘ Explanation: Lsass.exe (Local Security Authority Subsystem Service) is targeted for credential dumping and privilege escalation by fileless malware.
26. What is a key indicator of fileless malware executing through Windows Script Host (WSH)?
A) High CPU usage from wscript.exe or cscript.exe
B) New firewall rules created
C) Hard drive errors appearing
D) Disabling of Windows Defender
β
Answer: A) High CPU usage from wscript.exe or cscript.exe
π‘ Explanation: wscript.exe and cscript.exe are used to run VBScript and JScript, often abused for fileless attacks.
27. What is an effective way to prevent fileless malware from leveraging PowerShell?
A) Enabling Windows Firewall
B) Blocking unsigned PowerShell scripts
C) Running system updates once a year
D) Deleting PowerShell from the system
β
Answer: B) Blocking unsigned PowerShell scripts
π‘ Explanation: Blocking unsigned scripts prevents attackers from executing malicious PowerShell commands.
28. Which forensic technique is helpful in identifying fileless malware infections?
A) Signature-based scanning
B) Memory forensics
C) Disk imaging
D) Physical drive cloning
β
Answer: B) Memory forensics
π‘ Explanation: Since fileless malware resides in RAM, memory forensics is crucial for detection.
29. What type of PowerShell command do attackers often use to download and execute fileless malware?
A) Invoke-Expression (IEX)
B) Get-Process
C) Remove-Item
D) New-Item
β
Answer: A) Invoke-Expression (IEX)
π‘ Explanation: IEX (Invoke-Expression) allows execution of remote scripts directly in memory, often abused by attackers.
30. What is a common persistence mechanism for fileless malware in Windows?
A) Task Scheduler abuse
B) Changing the computer wallpaper
C) Deleting antivirus software
D) Changing BIOS settings
β
Answer: A) Task Scheduler abuse
π‘ Explanation: Attackers create scheduled tasks to run malicious scripts persistently without leaving traces on disk.
31. How does Living-Off-the-Land (LotL) methodology relate to fileless malware?
A) It uses existing legitimate tools to execute malicious activities
B) It requires physical access to the target system
C) It only works in cloud environments
D) It relies on installing third-party malware executables
β
Answer: A) It uses existing legitimate tools to execute malicious activities
π‘ Explanation: LotL techniques use built-in tools like PowerShell, WMI, and Task Scheduler for stealthy attacks.
32. What is a common cloud-based attack vector for fileless malware?
A) Exploiting misconfigured AWS Lambda functions
B) Brute-forcing SFTP passwords
C) Encrypting data on external hard drives
D) Flooding the network with ICMP packets
β
Answer: A) Exploiting misconfigured AWS Lambda functions
π‘ Explanation: Attackers can inject malicious code into cloud environments without leaving traces on storage disks.
33. What role does JavaScript play in fileless malware attacks?
A) It is used to launch malicious scripts via browsers
B) It is used for ransomware encryption
C) It directly infects BIOS firmware
D) It removes all system logs
β
Answer: A) It is used to launch malicious scripts via browsers
π‘ Explanation: JavaScript-based attacks use malicious scripts to run payloads in memory via web browsers.
34. Which security tool helps monitor and detect fileless attacks in real time?
A) SIEM (Security Information and Event Management)
B) Disk defragmenter
C) Registry cleaner
D) VPN
β
Answer: A) SIEM (Security Information and Event Management)
π‘ Explanation: SIEM solutions aggregate and analyze security logs to detect anomalous behavior from fileless attacks.
35. What cloud-based security measure can help mitigate fileless malware attacks?
A) Enforcing strong password policies
B) Enabling application whitelisting
C) Using multi-cloud architecture
D) Increasing cloud storage capacity
β
Answer: B) Enabling application whitelisting
π‘ Explanation: Application whitelisting ensures only approved programs can execute, reducing fileless malware risks.
36. Which endpoint security approach is most effective against fileless malware?
A) Behavior-based detection
B) Signature-based detection
C) Manual scanning
D) File quarantine
β
Answer: A) Behavior-based detection
π‘ Explanation: Behavior-based detection analyzes anomalies, making it more effective than signature-based detection.
37. What common Windows Registry key is exploited by fileless malware for persistence?
A) HKLM\Software\Microsoft\Windows\CurrentVersion\Run
B) HKCU\System\Policy\Wallpaper
C) HKLM\Hardware\Description\System
D) HKCU\ControlPanel\Desktop
β
Answer: A) HKLM\Software\Microsoft\Windows\CurrentVersion\Run
π‘ Explanation: This registry key is commonly abused to launch malicious scripts at startup.
38. What is an effective defense mechanism against PowerShell-based fileless malware?
A) Disabling PowerShell logging
B) Enabling PowerShell script block logging
C) Running all scripts as administrator
D) Disabling all Windows services
β
Answer: B) Enabling PowerShell script block logging
π‘ Explanation: PowerShell script block logging provides visibility into potentially malicious scripts.
39. Which web attack vector can deliver fileless malware through browsers?
A) Drive-by downloads
B) Man-in-the-middle (MITM) attacks
C) DNS poisoning
D) SYN Flood
β
Answer: A) Drive-by downloads
π‘ Explanation: Drive-by downloads exploit browser vulnerabilities to execute malicious code in memory.
40. Why is fileless malware often used in Advanced Persistent Threats (APTs)?
A) It minimizes detection and maximizes persistence
B) It can self-replicate across devices
C) It corrupts BIOS firmware permanently
D) It only works on IoT devices
β
Answer: A) It minimizes detection and maximizes persistence
π‘ Explanation: APTs use fileless malware for stealthy, long-term access to compromised systems.
41. Which attack method is commonly used to distribute fileless malware through browser exploits?
A) Malvertising
B) Man-in-the-middle (MITM) attacks
C) DNS hijacking
D) Bluetooth injection
β
Answer: A) Malvertising
π‘ Explanation: Malvertising (malicious advertising) injects exploit code into legitimate ad networks, which can execute fileless malware in the browser memory.
42. Which PowerShell feature allows attackers to bypass execution policies for running malicious scripts?
A) -NoProfile -ExecutionPolicy Bypass
B) -ForceUpdate
C) -RestrictedMode
D) -DisableFirewall
β
Answer: A) -NoProfile -ExecutionPolicy Bypass
π‘ Explanation: This command bypasses execution policies, allowing attackers to execute malicious PowerShell scripts directly in memory.
43. Which technique allows fileless malware to be injected into system processes without being detected?
A) Process Injection
B) Disk Cloning
C) Certificate Spoofing
D) Port Forwarding
β
Answer: A) Process Injection
π‘ Explanation: Process injection techniques (e.g., DLL injection, process hollowing) allow malware to run inside legitimate processes, evading detection.
44. What role does HTML5 play in some fileless malware attacks?
A) It allows execution of JavaScript-based payloads in browsers
B) It automatically installs malware executables
C) It disables antivirus software
D) It encrypts system files
β
Answer: A) It allows execution of JavaScript-based payloads in browsers
π‘ Explanation: HTML5, combined with JavaScript, can be used to execute fileless malware directly in the browser without requiring user interaction.
45. Which network security feature can help detect fileless malware activity?
A) Deep Packet Inspection (DPI)
B) MAC Address Filtering
C) Static IP Configuration
D) NAT (Network Address Translation)
β
Answer: A) Deep Packet Inspection (DPI)
π‘ Explanation: DPI analyzes network traffic at a granular level to detect unusual patterns associated with fileless malware.
46. Which type of phishing attack is most effective for delivering fileless malware?
A) Spear Phishing
B) Vishing (Voice Phishing)
C) Smishing (SMS Phishing)
D) Watering Hole Attack
β
Answer: A) Spear Phishing
π‘ Explanation: Spear phishing targets specific individuals using tailored emails that trick users into executing malicious scripts.
47. Fileless malware can persist across system reboots using which technique?
A) Registry Persistence
B) DNS Spoofing
C) Bluetooth Pairing
D) DHCP Lease Manipulation
β
Answer: A) Registry Persistence
π‘ Explanation: Attackers store malicious payloads in registry keys that execute every time the system starts.
48. How does COM (Component Object Model) hijacking contribute to fileless malware attacks?
A) It allows malware execution through legitimate system components
B) It modifies firewall settings
C) It injects code into BIOS firmware
D) It exploits cloud storage vulnerabilities
β
Answer: A) It allows malware execution through legitimate system components
π‘ Explanation: COM hijacking enables malware to persist by executing through system components like Explorer.exe.
49. Which cloud service is frequently exploited for hosting fileless malware payloads?
A) Google Drive
B) AWS S3 Buckets
C) OneDrive
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Attackers often store payloads on cloud services and execute them remotely via PowerShell or script injection.
50. What does PowerShell Constrained Language Mode help prevent?
A) Execution of advanced PowerShell scripts
B) Browser hijacking
C) Rootkit installation
D) Keylogging
β
Answer: A) Execution of advanced PowerShell scripts
π‘ Explanation: Constrained Language Mode restricts PowerShell commands, limiting attackersβ ability to execute malicious scripts.
51. Which attack vector uses mshta.exe to execute fileless malware?
A) HTML Application (HTA) Exploits
B) Bluetooth Hacking
C) ARP Poisoning
D) Wi-Fi Spoofing
β
Answer: A) HTML Application (HTA) Exploits
π‘ Explanation: mshta.exe executes HTA files containing malicious scripts, a common method for delivering fileless malware.
52. Which Windows Event Log ID can help detect suspicious PowerShell activity?
A) 4104
B) 1000
C) 500
D) 2025
β
Answer: A) 4104
π‘ Explanation: Event ID 4104 logs script block execution, helping detect fileless malware that abuses PowerShell.
53. How does fileless malware evade antivirus detection?
A) It does not create traditional files on disk
B) It uses rootkits exclusively
C) It blocks all network traffic
D) It replaces system DLL files
β
Answer: A) It does not create traditional files on disk
π‘ Explanation: Since fileless malware runs in memory, it bypasses traditional signature-based antivirus tools.
54. What is a key indicator of malicious WMI activity in fileless malware attacks?
A) Unexpected wmiprvse.exe execution
B) High CPU usage by Chrome browser
C) Frequent network disconnections
D) Disabling of USB ports
β
Answer: A) Unexpected wmiprvse.exe execution
π‘ Explanation: wmiprvse.exe is the WMI Provider Host process, often abused to execute fileless malware commands.
55. How does fileless ransomware operate differently from traditional ransomware?
A) It encrypts data directly in memory without creating new files
B) It spreads only via physical USB devices
C) It requires administrator privileges to execute
D) It modifies BIOS firmware to prevent booting
β
Answer: A) It encrypts data directly in memory without creating new files
π‘ Explanation: Fileless ransomware can execute encryption in memory, making detection and recovery more difficult.
56. What is the primary advantage attackers gain from using fileless malware?
A) Increased stealth and evasion
B) Faster internet speed
C) Higher CPU performance
D) Better user experience
β
Answer: A) Increased stealth and evasion
π‘ Explanation: Fileless malware is difficult to detect as it does not leave traditional file-based indicators.
57. Which security control can help mitigate the risk of fileless malware?
A) Application Whitelisting
B) Disabling JavaScript in browsers
C) Running outdated antivirus software
D) Using an unmanaged network
β
Answer: A) Application Whitelisting
π‘ Explanation: Application whitelisting ensures that only approved programs can execute, reducing the risk of fileless attacks.
58. What is the role of AMSI (Antimalware Scan Interface) in detecting fileless malware?
A) It scans and blocks suspicious scripts in memory
B) It increases system boot speed
C) It encrypts malware payloads
D) It disables antivirus software
β
Answer: A) It scans and blocks suspicious scripts in memory
π‘ Explanation: AMSI detects malicious PowerShell, JavaScript, and VBScript activity before execution.
59. What type of attack is commonly combined with fileless malware to maintain persistence?
A) Credential Theft
B) Phishing Attacks
C) Watering Hole Attacks
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Attackers use multiple attack vectors to deploy and sustain fileless malware infections.
60. Why do APT (Advanced Persistent Threat) groups prefer fileless malware?
A) It allows long-term stealthy access
B) It can only attack IoT devices
C) It spreads via Bluetooth exclusively
D) It prevents system reboots
β
Answer: A) It allows long-term stealthy access
π‘ Explanation: APT groups use fileless malware for prolonged access to target environments while evading detection.
61. Which type of fileless malware technique involves executing malicious payloads from a remote server?
A) Remote Code Execution (RCE)
B) File Integrity Monitoring (FIM)
C) Reverse Shell Execution
D) SQL Injection
β
Answer: A) Remote Code Execution (RCE)
π‘ Explanation: Fileless malware can use RCE to execute payloads directly in memory without saving files locally.
62. What is an effective way to detect fileless malware that abuses Windows Registry?
A) Monitoring suspicious registry changes
B) Scanning all text files
C) Disabling registry access for all users
D) Increasing disk storage capacity
β
Answer: A) Monitoring suspicious registry changes
π‘ Explanation: Fileless malware often stores malicious commands in registry keys, so monitoring changes can help detect threats.
63. How do attackers use LOLBins (Living Off The Land Binaries) in fileless attacks?
A) To execute malicious commands using trusted system binaries
B) To modify network firewalls
C) To alter system boot order
D) To install keyloggers
β
Answer: A) To execute malicious commands using trusted system binaries
π‘ Explanation: Attackers use LOLBins like mshta.exe, powershell.exe, and wmic.exe to execute fileless malware without triggering antivirus alerts.
64. What is the purpose of injecting fileless malware into system processes?
A) To blend malicious activities with legitimate processes
B) To disable antivirus software
C) To modify disk partitions
D) To increase processor speed
β
Answer: A) To blend malicious activities with legitimate processes
π‘ Explanation: Injecting into legitimate system processes (e.g., explorer.exe) helps malware remain undetected.
65. Which PowerShell technique helps attackers execute fileless malware stealthily?
A) Invoke-Expression (IEX)
B) Disable-Firewall
C) Remove-UserPermissions
D) Create-Task
β
Answer: A) Invoke-Expression (IEX)
π‘ Explanation: IEX allows attackers to execute PowerShell commands from remote URLs without saving files on disk.
66. How do attackers use macro-based attacks for fileless malware delivery?
A) By embedding malicious VBA scripts in Office documents
B) By modifying browser extensions
C) By brute-forcing administrator passwords
D) By disabling system logs
β
Answer: A) By embedding malicious VBA scripts in Office documents
π‘ Explanation: Macros in Microsoft Office files can execute malicious scripts in memory, making it a common fileless malware attack method.
67. Why is fileless malware often combined with social engineering attacks?
A) To trick users into executing malicious scripts
B) To brute-force system passwords
C) To disable antivirus software
D) To automatically encrypt all system files
β
Answer: A) To trick users into executing malicious scripts
π‘ Explanation: Social engineering techniques like phishing emails convince users to enable macros or run malicious scripts, helping spread fileless malware.
68. Which cybersecurity framework includes fileless attack techniques for threat modeling?
A) MITRE ATT&CK
B) ISO 9001
C) PCI DSS
D) ITIL
β
Answer: A) MITRE ATT&CK
π‘ Explanation: MITRE ATT&CK documents techniques used in fileless attacks under categories like βExecutionβ and βPersistence.β
69. What is a common sign of fileless malware activity?
A) Unexpected spikes in memory usage without corresponding disk activity
B) Increased number of error messages in Windows Explorer
C) Frequent BSOD (Blue Screen of Death)
D) Corrupt system drivers
β
Answer: A) Unexpected spikes in memory usage without corresponding disk activity
π‘ Explanation: Since fileless malware operates in memory, it can cause high RAM usage while leaving no traces on disk.
70. How can Endpoint Detection and Response (EDR) solutions help detect fileless malware?
A) By analyzing behavioral patterns and system activity
B) By blocking all PowerShell scripts
C) By preventing all user logins
D) By disabling network adapters
β
Answer: A) By analyzing behavioral patterns and system activity
π‘ Explanation: EDR tools use behavioral analysis to detect abnormal execution patterns indicative of fileless malware.
71. What is a common cloud-based attack vector for fileless malware?
A) Serverless function exploitation (e.g., AWS Lambda)
B) Browser cache poisoning
C) Unauthorized DNS tunneling
D) Exploiting outdated firmware
β
Answer: A) Serverless function exploitation (e.g., AWS Lambda)
π‘ Explanation: Attackers exploit serverless environments to execute malicious code in the cloud without creating files.
72. Which advanced persistence technique is used in fileless malware attacks?
A) Windows Management Instrumentation (WMI) Event Subscription
B) Brute-force attack on admin accounts
C) Exploiting default browser settings
D) Enabling guest account access
β
Answer: A) Windows Management Instrumentation (WMI) Event Subscription
π‘ Explanation: WMI event subscriptions allow malware to trigger execution automatically based on system events.
73. How does fileless malware use DNS-based command and control (C2) communication?
A) By encoding malicious commands in DNS requests
B) By modifying Windows registry keys
C) By disabling user authentication
D) By creating fake firewall rules
β
Answer: A) By encoding malicious commands in DNS requests
π‘ Explanation: Fileless malware can use DNS tunneling to communicate with attacker-controlled servers stealthily.
74. Which scripting language is commonly abused in fileless malware attacks?
A) JavaScript
B) Python
C) C++
D) Swift
β
Answer: A) JavaScript
π‘ Explanation: JavaScript is widely used in browser-based fileless malware attacks, often executed through malicious websites.
75. What is an effective measure against fileless malware attacks in enterprises?
A) Disabling unnecessary scripting environments (e.g., PowerShell, WMI)
B) Running periodic disk defragmentation
C) Increasing RAM capacity
D) Keeping all antivirus software disabled
β
Answer: A) Disabling unnecessary scripting environments (e.g., PowerShell, WMI)
π‘ Explanation: Disabling unused scripting environments limits the attack surface for fileless malware.
76. What is a common method attackers use to escalate privileges in fileless attacks?
A) Token Impersonation
B) Password Spraying
C) Ping Flood Attack
D) Wireless Sniffing
β
Answer: A) Token Impersonation
π‘ Explanation: Token impersonation allows attackers to execute processes with higher privileges without writing files.
77. How does fileless malware evade traditional antivirus software?
A) By executing malicious code directly in memory
B) By modifying BIOS firmware
C) By brute-forcing encryption keys
D) By injecting payloads into Microsoft Paint
β
Answer: A) By executing malicious code directly in memory
π‘ Explanation: Fileless malware evades detection by not writing any files to disk, making traditional antivirus ineffective.
78. What is a good practice for mitigating fileless malware threats?
A) Enforcing least privilege access
B) Allowing unrestricted PowerShell execution
C) Using outdated operating systems
D) Disabling all network ports
β
Answer: A) Enforcing least privilege access
π‘ Explanation: Restricting administrative privileges reduces the attack surface and limits malware execution.
79. Which PowerShell command can help analyze suspicious script execution?
A) Get-WinEvent
B) Remove-Item
C) Start-Sleep
D) Clear-Host
β
Answer: A) Get-WinEvent
π‘ Explanation: Get-WinEvent retrieves logs that can help analyze suspicious script executions.
80. Why is script obfuscation commonly used in fileless malware?
A) To evade detection by security tools
B) To speed up execution
C) To increase CPU performance
D) To disable firewall settings
β
Answer: A) To evade detection by security tools
π‘ Explanation: Obfuscation hides malicious code from detection tools by encoding or encrypting scripts.
81. What is one of the primary methods attackers use to distribute fileless malware through legitimate websites?
A) Exploit kits
B) MAC address spoofing
C) SQL Injection
D) ARP poisoning
β
Answer: A) Exploit kits
π‘ Explanation: Exploit kits take advantage of browser vulnerabilities to execute fileless malware directly in memory.
82. How do attackers use signed binaries to execute fileless malware?
A) By leveraging trusted Windows executables to run malicious code
B) By modifying the hard drive partition table
C) By brute-forcing network authentication
D) By installing third-party software
β
Answer: A) By leveraging trusted Windows executables to run malicious code
π‘ Explanation: Attackers use signed binaries like rundll32.exe and mshta.exe to execute malicious scripts in memory while evading detection.
83. What is a common way fileless malware achieves persistence on an infected system?
A) Modifying Windows scheduled tasks
B) Deleting system restore points
C) Changing the BIOS firmware
D) Disabling all user accounts
β
Answer: A) Modifying Windows scheduled tasks
π‘ Explanation: Attackers create scheduled tasks to execute malicious scripts at regular intervals without leaving traditional files.
84. Which attack technique is often combined with fileless malware to steal credentials?
A) Memory scraping
B) Ping flood attack
C) DNS cache poisoning
D) URL encoding
β
Answer: A) Memory scraping
π‘ Explanation: Memory scraping extracts sensitive data (e.g., credentials) from RAM without writing anything to disk.
85. How can fileless malware use Windows Remote Management (WinRM) to spread across networks?
A) By executing PowerShell commands remotely
B) By injecting malware into kernel drivers
C) By modifying browser cookies
D) By forcing BIOS reboots
β
Answer: A) By executing PowerShell commands remotely
π‘ Explanation: WinRM enables remote PowerShell execution, allowing attackers to move laterally without dropping files.
86. What role does reflective PE injection play in fileless malware execution?
A) It loads executable code into memory without touching disk
B) It modifies Windows update settings
C) It disables antivirus software
D) It clones network devices
β
Answer: A) It loads executable code into memory without touching disk
π‘ Explanation: Reflective PE injection enables the execution of Portable Executables (PEs) directly in memory, making detection difficult.
87. Why do attackers use encoded PowerShell commands in fileless malware attacks?
A) To bypass security controls and avoid detection
B) To increase script execution speed
C) To encrypt system files
D) To automatically restart the infected system
β
Answer: A) To bypass security controls and avoid detection
π‘ Explanation: Encoding PowerShell commands (e.g., Base64 encoding) helps attackers hide malicious scripts from security tools.
88. How does the use of named pipes contribute to fileless malware operations?
A) It allows secure, in-memory communication between processes
B) It prevents antivirus from detecting rootkits
C) It speeds up hard drive performance
D) It blocks all network traffic
β
Answer: A) It allows secure, in-memory communication between processes
π‘ Explanation: Named pipes facilitate stealthy communication between infected processes without leaving traces on disk.
89. Which advanced privilege escalation technique is commonly used in fileless malware attacks?
A) Token stealing
B) Boot sector modification
C) Wireless network sniffing
D) Man-in-the-middle attack
β
Answer: A) Token stealing
π‘ Explanation: Attackers use token stealing to impersonate privileged accounts and escalate privileges without dropping files.
90. How does adversary-in-the-middle (AiTM) attack relate to fileless malware?
A) It allows attackers to inject malicious scripts into active sessions
B) It disables the Windows firewall
C) It modifies system boot records
D) It removes all browser extensions
β
Answer: A) It allows attackers to inject malicious scripts into active sessions
π‘ Explanation: AiTM attacks intercept user sessions and inject malicious scripts without writing files to disk.
91. Which logging mechanism is most useful for detecting fileless malware activities?
A) Sysmon logs
B) Browser history logs
C) Print spooler logs
D) Clipboard logs
β
Answer: A) Sysmon logs
π‘ Explanation: Sysmon provides detailed event logging for process creation, registry modifications, and script execution, aiding in fileless malware detection.
92. How can attackers use PowerShell download cradle techniques in fileless malware?
A) By executing remote scripts in memory
B) By modifying the master boot record (MBR)
C) By brute-forcing passwords
D) By altering cloud storage configurations
β
Answer: A) By executing remote scripts in memory
π‘ Explanation: PowerShell download cradles fetch and execute scripts from remote sources without storing them on disk.
93. Which feature of Windows Defender helps detect fileless malware?
A) Attack Surface Reduction (ASR) rules
B) Automatic Disk Defragmentation
C) System Restore
D) BitLocker encryption
β
Answer: A) Attack Surface Reduction (ASR) rules
π‘ Explanation: ASR rules block suspicious activities, such as script execution from Office macros, reducing the risk of fileless malware infections.
94. How does fileless malware abuse JavaScript in web browsers?
A) By executing malicious scripts in memory via drive-by downloads
B) By modifying CSS styles
C) By changing browser bookmarks
D) By encrypting JavaScript files
β
Answer: A) By executing malicious scripts in memory via drive-by downloads
π‘ Explanation: JavaScript-based fileless attacks use drive-by downloads to execute payloads in browser memory.
95. What is one of the challenges of detecting fileless malware in enterprise environments?
A) Traditional antivirus software relies on file-based signatures
B) Fileless malware always corrupts system files
C) Firewalls automatically block all fileless malware
D) Fileless malware cannot execute without admin privileges
β
Answer: A) Traditional antivirus software relies on file-based signatures
π‘ Explanation: Since fileless malware does not create files, signature-based antivirus solutions struggle to detect it.
96. Which command-line tool can help investigate memory-resident malware?
A) Volatility
B) Disk Cleanup
C) CHKDSK
D) Task Scheduler
β
Answer: A) Volatility
π‘ Explanation: Volatility is a powerful tool for analyzing memory dumps and identifying fileless malware.
97. How do attackers use COM object hijacking for fileless persistence?
A) By modifying COM objects to execute malicious scripts
B) By creating duplicate user accounts
C) By corrupting antivirus definitions
D) By replacing bootloader configurations
β
Answer: A) By modifying COM objects to execute malicious scripts
π‘ Explanation: COM object hijacking ensures that malware executes whenever a specific application is launched.
98. What is one common post-exploitation goal of fileless malware?
A) Establishing command and control (C2) communication
B) Increasing system boot speed
C) Disabling all system logs
D) Uninstalling web browsers
β
Answer: A) Establishing command and control (C2) communication
π‘ Explanation: Fileless malware often establishes C2 channels to allow remote control of infected systems.
99. Which security technique is effective in stopping PowerShell-based fileless attacks?
A) Enforcing script block logging
B) Disabling clipboard functionality
C) Increasing RAM capacity
D) Enabling guest user accounts
β
Answer: A) Enforcing script block logging
π‘ Explanation: Script block logging helps detect and analyze suspicious PowerShell execution attempts.
100. What makes fileless malware ideal for Advanced Persistent Threats (APTs)?
A) It provides long-term stealthy access without creating disk artifacts
B) It increases CPU performance
C) It can only be executed on Linux systems
D) It forces users to change their passwords
β
Answer: A) It provides long-term stealthy access without creating disk artifacts
π‘ Explanation: APT groups use fileless malware to maintain persistent access while evading traditional security measures.
101. How does fileless malware use Windows Script Host (WSH) to execute malicious code?
A) By running malicious JavaScript or VBScript files in memory
B) By modifying the system boot order
C) By brute-forcing admin passwords
D) By disabling Windows Defender
β
Answer: A) By running malicious JavaScript or VBScript files in memory
π‘ Explanation: WSH allows attackers to execute JavaScript or VBScript without requiring any files to be written to disk.
102. What is a key advantage of using fileless malware in cyber attacks?
A) It reduces the chances of detection by traditional antivirus solutions
B) It increases the CPU speed of infected machines
C) It requires physical access to the victimβs machine
D) It disables all system logs automatically
β
Answer: A) It reduces the chances of detection by traditional antivirus solutions
π‘ Explanation: Fileless malware operates in memory, making it difficult for signature-based antivirus solutions to detect.
103. Which Windows tool is commonly exploited to execute fileless malware without dropping a file?
A) rundll32.exe
B) taskmgr.exe
C) calc.exe
D) notepad.exe
β
Answer: A) rundll32.exe
π‘ Explanation: rundll32.exe is a legitimate Windows tool that attackers abuse to execute malicious DLLs from memory.
104. How does PowerShell AMSI bypass help attackers deploy fileless malware?
A) By evading antivirus detection and executing malicious scripts
B) By deleting all system logs
C) By modifying the Windows boot sector
D) By brute-forcing passwords
β
Answer: A) By evading antivirus detection and executing malicious scripts
π‘ Explanation: Attackers use AMSI bypass techniques to disable Microsoftβs Antimalware Scan Interface, allowing them to run malicious PowerShell scripts undetected.
105. What is one way to detect fileless malware in a corporate environment?
A) Monitoring unusual script execution behavior
B) Disabling Windows Registry
C) Running CHKDSK scans
D) Allowing unrestricted admin privileges
β
Answer: A) Monitoring unusual script execution behavior
π‘ Explanation: Fileless malware relies on scripting environments like PowerShell and WMI, so monitoring their execution can help in detection.
106. How do attackers use registry-based persistence for fileless malware?
A) By storing malicious scripts in registry keys to execute them at startup
B) By modifying firewall settings
C) By overwriting system files
D) By disabling Secure Boot
β
Answer: A) By storing malicious scripts in registry keys to execute them at startup
π‘ Explanation: Attackers use registry keys to store payloads that execute automatically when a user logs in.
107. What is the primary reason fileless malware is used in targeted attacks?
A) It is difficult to detect and remove
B) It spreads through email attachments
C) It only works on outdated systems
D) It requires physical access to the target
β
Answer: A) It is difficult to detect and remove
π‘ Explanation: Fileless malware leaves minimal forensic evidence, making it ideal for stealthy, long-term cyberattacks.
108. Which attack method allows fileless malware to execute directly from RAM?
A) Process injection
B) Dictionary attacks
C) Web defacement
D) DNS spoofing
β
Answer: A) Process injection
π‘ Explanation: Process injection techniques, such as DLL injection or process hollowing, allow malware to run inside legitimate system processes.
109. How does fileless malware abuse WMI (Windows Management Instrumentation)?
A) By executing commands and scripts remotely without writing files
B) By modifying BIOS firmware
C) By injecting malicious DLLs into network drivers
D) By changing the administrator password
β
Answer: A) By executing commands and scripts remotely without writing files
π‘ Explanation: Attackers use WMI for fileless execution by running scripts or commands within the Windows environment.
110. Which cloud-based attack technique is commonly associated with fileless malware?
A) Serverless function abuse
B) Hard drive corruption
C) Unauthorized database access
D) Email phishing
β
Answer: A) Serverless function abuse
π‘ Explanation: Attackers exploit serverless computing environments (e.g., AWS Lambda) to execute malicious code in memory.
111. What is an example of a living-off-the-land attack technique related to fileless malware?
A) Abusing system-native tools like PowerShell and WMI
B) Creating fake antivirus programs
C) Installing keyloggers on remote machines
D) Encrypting all user files
β
Answer: A) Abusing system-native tools like PowerShell and WMI
π‘ Explanation: Living-off-the-land (LotL) techniques use built-in system tools to execute malicious code without dropping files.
112. How can security teams mitigate fileless malware risks?
A) Enabling PowerShell logging and monitoring script activity
B) Disabling all USB ports
C) Allowing unrestricted administrator access
D) Blocking all internet access
β
Answer: A) Enabling PowerShell logging and monitoring script activity
π‘ Explanation: PowerShell logging helps detect unusual script execution that may indicate fileless malware activity.
113. Which of the following attack methods does NOT typically involve fileless malware?
A) Ransomware payloads dropped onto disk
B) Exploiting PowerShell scripts in memory
C) Leveraging Windows Registry for persistence
D) Using WMI for remote execution
β
Answer: A) Ransomware payloads dropped onto disk
π‘ Explanation: Fileless malware avoids writing files to disk, whereas traditional ransomware creates encrypted files.
114. How does DNS tunneling assist in fileless malware attacks?
A) It allows attackers to exfiltrate data and issue commands using DNS queries
B) It modifies system firewall rules
C) It increases network latency
D) It forces users to reset their passwords
β
Answer: A) It allows attackers to exfiltrate data and issue commands using DNS queries
π‘ Explanation: DNS tunneling enables covert communication between infected systems and attacker-controlled servers.
115. What is an effective countermeasure against PowerShell-based fileless malware?
A) Implementing Just Enough Administration (JEA) for PowerShell
B) Blocking all email communications
C) Disabling all user accounts
D) Increasing system RAM
β
Answer: A) Implementing Just Enough Administration (JEA) for PowerShell
π‘ Explanation: JEA restricts PowerShell usage to only necessary administrative functions, reducing attack opportunities.
116. Why do attackers prefer fileless malware for financial fraud campaigns?
A) It allows stealthy execution and minimizes forensic evidence
B) It encrypts financial transactions
C) It brute-forces online banking passwords
D) It replaces legitimate banking applications
β
Answer: A) It allows stealthy execution and minimizes forensic evidence
π‘ Explanation: Fileless malware is harder to trace, making it ideal for financial fraud and cyber espionage.
117. What is an advanced evasion technique used by fileless malware?
A) Code obfuscation
B) Changing desktop wallpapers
C) Deleting browser history
D) Encrypting the system registry
β
Answer: A) Code obfuscation
π‘ Explanation: Code obfuscation disguises malicious scripts, making them harder to detect by security solutions.
118. What tool is useful for detecting suspicious script execution?
A) Microsoft Defender for Endpoint
B) Windows Media Player
C) Disk Cleanup
D) Internet Explorer
β
Answer: A) Microsoft Defender for Endpoint
π‘ Explanation: Microsoft Defender for Endpoint provides behavioral analysis and real-time threat detection.
119. Which attack type can be combined with fileless malware for persistence?
A) Rootkits
B) Physical hardware modification
C) Optical disc exploits
D) SQL Injection
β
Answer: A) Rootkits
π‘ Explanation: Rootkits hide malware execution in system processes, making them a powerful persistence mechanism.
120. What security best practice reduces fileless malware risks?
A) Implementing application whitelisting
B) Allowing unrestricted remote access
C) Disabling all system logs
D) Running outdated operating systems
β
Answer: A) Implementing application whitelisting
π‘ Explanation: Application whitelisting ensures only approved programs can run, reducing the risk of unauthorized script execution.
121. What is the primary advantage of using Living-off-the-Land (LotL) techniques in fileless malware attacks?
A) It uses legitimate system tools to evade detection
B) It spreads through removable media only
C) It requires root access to execute
D) It depends on kernel modifications
β
Answer: A) It uses legitimate system tools to evade detection
π‘ Explanation: LotL attacks leverage built-in system tools like PowerShell and WMI, making them harder to detect.
122. How can behavioral analytics help detect fileless malware?
A) By identifying unusual script execution and memory activity
B) By scanning only for known malware signatures
C) By blocking all Windows processes
D) By disabling all PowerShell commands
β
Answer: A) By identifying unusual script execution and memory activity
π‘ Explanation: Behavioral analytics can detect abnormal system behavior, which is key in identifying fileless malware.
123. Which of the following is NOT a typical method for delivering fileless malware?
A) Drive-by downloads
B) Memory injection via PowerShell
C) Boot sector modification
D) WMI scripting attacks
β
Answer: C) Boot sector modification
π‘ Explanation: Fileless malware operates in memory and does not typically modify the boot sector.
124. What attack technique allows fileless malware to execute commands as a privileged user?
A) Token Impersonation
B) MAC Spoofing
C) DNS Cache Poisoning
D) SQL Injection
β
Answer: A) Token Impersonation
π‘ Explanation: Token impersonation allows attackers to run processes with elevated privileges without writing files to disk.
125. How does fileless malware avoid detection by antivirus programs?
A) By not writing any files to disk
B) By modifying the CPUβs firmware
C) By encrypting the system registry
D) By deleting firewall rules
β
Answer: A) By not writing any files to disk
π‘ Explanation: Traditional antivirus programs rely on scanning files, so fileless malware remains hidden by operating in memory.
126. How do attackers use event-triggered execution in fileless malware attacks?
A) By setting malicious scripts to run when a specific event occurs
B) By modifying the systemβs CPU settings
C) By encrypting all user data upon execution
D) By disabling all antivirus services
β
Answer: A) By setting malicious scripts to run when a specific event occurs
π‘ Explanation: Attackers can use WMI event subscriptions or scheduled tasks to trigger malware execution.
127. Which PowerShell feature is often exploited in fileless malware attacks?
A) Invoke-Expression (IEX)
B) Remove-Item
C) Start-Service
D) Stop-Process
β
Answer: A) Invoke-Expression (IEX)
π‘ Explanation: IEX allows attackers to execute PowerShell commands from remote sources without writing them to disk.
128. What role does obfuscation play in fileless malware attacks?
A) It hides malicious code to evade detection
B) It improves the performance of malicious scripts
C) It disables Windows logging features
D) It increases the execution speed of PowerShell
β
Answer: A) It hides malicious code to evade detection
π‘ Explanation: Obfuscation disguises malicious code, making it difficult for security tools to recognize.
129. Why is forensic analysis more challenging in fileless malware attacks?
A) There are fewer artifacts left on disk for investigation
B) Fileless malware encrypts the hard drive upon execution
C) It modifies system BIOS settings
D) It disables all network connections
β
Answer: A) There are fewer artifacts left on disk for investigation
π‘ Explanation: Fileless malware operates in memory, leaving little evidence for forensic investigators.
130. Which network-based indicator can suggest the presence of fileless malware?
A) Unusual PowerShell script execution over the network
B) High CPU usage from the web browser
C) Unexpected printer spooler activity
D) Frequent password reset requests
β
Answer: A) Unusual PowerShell script execution over the network
π‘ Explanation: Fileless malware often uses PowerShell for remote execution, which can be detected through network monitoring.
131. How does script signing help prevent fileless malware attacks?
A) It ensures only trusted scripts can be executed
B) It blocks all scripting environments
C) It increases CPU performance
D) It prevents malware from modifying hardware settings
β
Answer: A) It ensures only trusted scripts can be executed
π‘ Explanation: Script signing allows only digitally signed scripts to run, preventing unauthorized execution.
132. How does AMSI (Antimalware Scan Interface) improve security against fileless malware?
A) By analyzing scripts before execution
B) By blocking all unsigned PowerShell commands
C) By disabling administrator privileges
D) By encrypting all running processes
β
Answer: A) By analyzing scripts before execution
π‘ Explanation: AMSI helps detect and block malicious scripts before they are executed.
133. Why do adversaries prefer fileless malware over traditional malware?
A) It is harder to detect and leaves fewer traces
B) It spreads faster than file-based malware
C) It cannot be removed once executed
D) It corrupts the operating system permanently
β
Answer: A) It is harder to detect and leaves fewer traces
π‘ Explanation: Fileless malware operates in memory, making it stealthier than traditional malware.
134. What technique allows fileless malware to bypass User Account Control (UAC)?
A) UAC Bypass via COM Hijacking
B) Encrypting all system files
C) Changing user account passwords
D) Modifying the BIOS firmware
β
Answer: A) UAC Bypass via COM Hijacking
π‘ Explanation: Attackers use COM hijacking to execute malicious code with elevated privileges without triggering UAC prompts.
135. How does PowerShell Remoting facilitate fileless malware attacks?
A) It allows remote execution of scripts without writing to disk
B) It automatically grants admin access to attackers
C) It blocks all security updates
D) It disables all PowerShell logging
β
Answer: A) It allows remote execution of scripts without writing to disk
π‘ Explanation: PowerShell Remoting enables attackers to execute commands on remote systems without saving files.
136. What type of cyberattack is often combined with fileless malware to enhance its stealth?
A) Advanced Persistent Threats (APTs)
B) Physical USB exploitation
C) Social media phishing
D) Network latency attacks
β
Answer: A) Advanced Persistent Threats (APTs)
π‘ Explanation: APTs use fileless malware to maintain long-term, stealthy access to targeted systems.
137. What is a strong indicator of a fileless malware infection in enterprise networks?
A) Sudden spikes in PowerShell or WMI activity
B) Increased email spam traffic
C) Changes in screen resolution
D) Frequent application crashes
β
Answer: A) Sudden spikes in PowerShell or WMI activity
π‘ Explanation: Fileless malware often abuses PowerShell and WMI, leading to abnormal spikes in activity.
138. Which security solution is best suited for detecting fileless malware?
A) Endpoint Detection and Response (EDR)
B) Traditional antivirus with signature-based detection
C) Disk cleanup utilities
D) Hardware-based firewalls
β
Answer: A) Endpoint Detection and Response (EDR)
π‘ Explanation: EDR solutions detect anomalous behaviors, making them effective against fileless malware.
139. What is an effective way to mitigate fileless malware attacks?
A) Implementing application whitelisting
B) Allowing unrestricted PowerShell execution
C) Disabling automatic system updates
D) Increasing hard drive storage
β
Answer: A) Implementing application whitelisting
π‘ Explanation: Application whitelisting restricts execution to only approved programs, reducing malware risks.
140. What is a key characteristic of fileless malware persistence?
A) It relies on registry and memory-based execution
B) It modifies kernel-level drivers
C) It encrypts all network traffic
D) It uses external hard drives to store payloads
β
Answer: A) It relies on registry and memory-based execution
π‘ Explanation: Fileless malware often achieves persistence by using registry-based execution and in-memory techniques.
141. Which of the following attack techniques is commonly used to distribute fileless malware via malicious email attachments?
A) Microsoft Office macro exploitation
B) Brute-force password attacks
C) ARP cache poisoning
D) ICMP tunneling
β
Answer: A) Microsoft Office macro exploitation
π‘ Explanation: Malicious macros in Office documents execute scripts that load fileless malware directly into memory.
142. What role does PowerShell logging play in detecting fileless malware?
A) It records executed commands, helping detect suspicious activities
B) It prevents PowerShell scripts from running
C) It disables all administrator privileges
D) It automatically blocks all network communication
β
Answer: A) It records executed commands, helping detect suspicious activities
π‘ Explanation: PowerShell logging helps security teams track command execution, a critical detection method for fileless malware.
143. How does fileless malware leverage browser vulnerabilities?
A) It executes malicious JavaScript in memory through drive-by downloads
B) It forces the user to reinstall the browser
C) It modifies browser color schemes
D) It creates fake browser extensions
β
Answer: A) It executes malicious JavaScript in memory through drive-by downloads
π‘ Explanation: Attackers exploit browser vulnerabilities to execute malicious scripts in memory without requiring file downloads.
144. Which attack technique allows fileless malware to inject code into running processes?
A) Reflective DLL injection
B) DNS cache poisoning
C) Session hijacking
D) SYN flood attack
β
Answer: A) Reflective DLL injection
π‘ Explanation: Reflective DLL injection enables malware to load and execute code directly in a processβs memory.
145. What is the role of AMSI (Antimalware Scan Interface) in preventing fileless malware execution?
A) It scans and blocks suspicious scripts before execution
B) It disables all system processes
C) It restricts all PowerShell commands
D) It automatically deletes temporary files
β
Answer: A) It scans and blocks suspicious scripts before execution
π‘ Explanation: AMSI analyzes script content before execution, helping detect and block fileless malware.
146. Why do attackers use obfuscated PowerShell commands in fileless malware attacks?
A) To evade detection by security tools
B) To improve the execution speed of commands
C) To disable user login credentials
D) To modify the file system
β
Answer: A) To evade detection by security tools
π‘ Explanation: Obfuscation hides malicious intent by encoding or altering script commands.
147. Which type of attack often delivers fileless malware through compromised websites?
A) Watering hole attack
B) SQL injection attack
C) Brute-force attack
D) ICMP flood attack
β
Answer: A) Watering hole attack
π‘ Explanation: In watering hole attacks, attackers compromise legitimate websites to deliver malicious scripts that run in memory.
148. What is the primary reason fileless malware is challenging to remove?
A) It does not leave files on disk for forensic analysis
B) It modifies hardware components
C) It disables all network connections
D) It rewrites the BIOS firmware
β
Answer: A) It does not leave files on disk for forensic analysis
π‘ Explanation: Since fileless malware operates in memory, it disappears when the system reboots, making it difficult to analyze.
149. Which Windows tool is commonly exploited to execute malicious scripts without dropping files?
A) mshta.exe
B) notepad.exe
C) explorer.exe
D) calc.exe
β
Answer: A) mshta.exe
π‘ Explanation: Attackers use mshta.exe to execute malicious HTML and JavaScript scripts in memory.
150. How does fileless malware use scheduled tasks for persistence?
A) It schedules malicious scripts to run at specific intervals
B) It modifies the Windows kernel
C) It corrupts hard drive partitions
D) It disables antivirus software
β
Answer: A) It schedules malicious scripts to run at specific intervals
π‘ Explanation: Attackers create scheduled tasks to execute malicious scripts automatically without writing files to disk.
151. Which of the following is an effective mitigation technique against fileless malware?
A) Disabling unnecessary scripting environments like PowerShell and WMI
B) Allowing unrestricted remote access
C) Increasing disk storage capacity
D) Disabling antivirus software
β
Answer: A) Disabling unnecessary scripting environments like PowerShell and WMI
π‘ Explanation: Restricting the execution of scripting environments reduces the attack surface for fileless malware.
152. What is an effective way to detect malicious use of Windows Management Instrumentation (WMI)?
A) Monitoring abnormal WMI queries in system logs
B) Deleting all system logs periodically
C) Disabling Windows updates
D) Running disk cleanup tools
β
Answer: A) Monitoring abnormal WMI queries in system logs
π‘ Explanation: Unusual WMI queries can indicate malicious script execution.
153. How do attackers use registry modifications in fileless malware attacks?
A) By storing malicious scripts in registry keys for persistence
B) By encrypting all registry settings
C) By forcing users to reset their passwords
D) By modifying the CPU clock speed
β
Answer: A) By storing malicious scripts in registry keys for persistence
π‘ Explanation: Attackers use the registry to store and execute malicious scripts stealthily.
154. Which cybersecurity control is essential for detecting fileless malware?
A) Endpoint Detection and Response (EDR)
B) Disabling network adapters
C) Running outdated antivirus software
D) Deleting browser cookies
β
Answer: A) Endpoint Detection and Response (EDR)
π‘ Explanation: EDR solutions monitor behavior and detect anomalies related to fileless malware.
155. How do attackers use COM hijacking in fileless malware attacks?
A) By modifying legitimate COM objects to execute malicious code
B) By forcing BIOS reboots
C) By disabling hard drive encryption
D) By blocking all internet traffic
β
Answer: A) By modifying legitimate COM objects to execute malicious code
π‘ Explanation: COM hijacking enables attackers to launch malware without writing files to disk.
156. What role does deep packet inspection (DPI) play in detecting fileless malware?
A) It analyzes network traffic for malicious script execution
B) It disables remote desktop connections
C) It blocks all incoming emails
D) It forces users to reset passwords
β
Answer: A) It analyzes network traffic for malicious script execution
π‘ Explanation: DPI inspects network packets for signs of fileless malware execution.
157. Which process is commonly targeted by fileless malware for privilege escalation?
A) lsass.exe
B) taskmgr.exe
C) notepad.exe
D) paint.exe
β
Answer: A) lsass.exe
π‘ Explanation: lsass.exe (Local Security Authority Subsystem Service) is often targeted for credential dumping.
158. How do attackers use PowerShell remoting in fileless malware attacks?
A) By executing malicious scripts on remote machines
B) By modifying hard drive partitions
C) By encrypting all system files
D) By disabling keyboard input
β
Answer: A) By executing malicious scripts on remote machines
π‘ Explanation: PowerShell remoting allows attackers to execute commands on remote systems without dropping files.
159. Which of the following is a key indicator of fileless malware activity?
A) Unexpected PowerShell script execution without user action
B) Increased hard drive space usage
C) Frequent Windows updates
D) Slow internet speed
β
Answer: A) Unexpected PowerShell script execution without user action
π‘ Explanation: If PowerShell scripts execute unexpectedly, it may indicate fileless malware activity.
160. Why is fileless malware popular among Advanced Persistent Threat (APT) groups?
A) It provides stealthy, long-term access to compromised systems
B) It requires less storage space
C) It disables all user accounts
D) It modifies all installed applications
β
Answer: A) It provides stealthy, long-term access to compromised systems
π‘ Explanation: APT groups use fileless malware for persistent, stealthy attacks while evading detection.
161. Which technique allows fileless malware to execute commands using a trusted Windows process?
A) Parent Process Spoofing
B) SQL Injection
C) Cross-Site Request Forgery (CSRF)
D) Bluetooth Hijacking
β
Answer: A) Parent Process Spoofing
π‘ Explanation: Parent process spoofing allows attackers to launch malicious processes under the disguise of legitimate system processes, evading detection.
162. How does fileless malware use LOLBins (Living Off the Land Binaries) for execution?
A) It abuses legitimate system utilities to run malicious code
B) It modifies CPU firmware
C) It corrupts database records
D) It deletes Windows system files
β
Answer: A) It abuses legitimate system utilities to run malicious code
π‘ Explanation: LOLBins like wmic.exe, rundll32.exe, and mshta.exe are abused to execute malicious scripts without writing files to disk.
163. What is a key characteristic of fileless malware that makes it difficult to analyze?
A) It operates entirely in system memory
B) It encrypts the entire file system
C) It creates a large number of log files
D) It relies only on physical USB infections
β
Answer: A) It operates entirely in system memory
π‘ Explanation: Since fileless malware runs in RAM and does not write files to disk, traditional forensic methods struggle to detect it.
164. Which Microsoft feature is often used by fileless malware to automate execution?
A) Windows Task Scheduler
B) Microsoft Paint
C) Notepad++
D) Device Manager
β
Answer: A) Windows Task Scheduler
π‘ Explanation: Task Scheduler is commonly abused to execute scripts or commands automatically as part of fileless malware persistence techniques.
165. Which of the following is an effective defense against PowerShell-based fileless malware?
A) Enforcing PowerShell Constrained Language Mode
B) Disabling the Windows firewall
C) Using weak passwords
D) Allowing unrestricted script execution
β
Answer: A) Enforcing PowerShell Constrained Language Mode
π‘ Explanation: Constrained Language Mode limits PowerShell commands to reduce attack opportunities for fileless malware.
166. What is a key difference between fileless malware and traditional malware?
A) Fileless malware does not store malicious payloads on disk
B) Fileless malware requires physical access to the target
C) Fileless malware is only effective against Linux systems
D) Fileless malware always spreads via USB devices
β
Answer: A) Fileless malware does not store malicious payloads on disk
π‘ Explanation: Traditional malware relies on files stored on disk, while fileless malware executes directly in memory.
167. What is an indicator of compromise (IOC) that may suggest fileless malware activity?
A) High CPU and memory usage from PowerShell or WMI
B) Slow internet connection
C) Frequent Windows update failures
D) Changes in the computer wallpaper
β
Answer: A) High CPU and memory usage from PowerShell or WMI
π‘ Explanation: Fileless malware often abuses system utilities like PowerShell and WMI, causing unusual system resource usage.
168. How does fileless malware maintain persistence using the Windows registry?
A) By adding malicious scripts to autorun registry keys
B) By corrupting all registry values
C) By disabling the registry editor
D) By encrypting registry settings
β
Answer: A) By adding malicious scripts to autorun registry keys
π‘ Explanation: Attackers store payloads in registry keys that execute automatically when the system starts.
169. What is an effective method for detecting PowerShell-based fileless attacks?
A) Monitoring Windows Event Logs for suspicious script execution
B) Disabling antivirus software
C) Allowing unrestricted network connections
D) Increasing hard drive space
β
Answer: A) Monitoring Windows Event Logs for suspicious script execution
π‘ Explanation: Windows Event Logs provide visibility into abnormal script execution, helping detect fileless malware activity.
170. Which of the following is a popular framework used for fileless malware attacks?
A) Empire
B) Nessus
C) Wireshark
D) VirtualBox
β
Answer: A) Empire
π‘ Explanation: Empire is a post-exploitation framework that enables PowerShell-based fileless malware execution.
171. What is the role of process hollowing in fileless malware execution?
A) It replaces the memory of a legitimate process with malicious code
B) It modifies firewall rules
C) It slows down the target system
D) It blocks Windows updates
β
Answer: A) It replaces the memory of a legitimate process with malicious code
π‘ Explanation: Process hollowing allows attackers to inject malicious code into trusted processes, making detection harder.
172. What is an example of a cloud-based attack vector for fileless malware?
A) Exploiting misconfigured cloud storage permissions
B) Encrypting all cloud databases
C) Deleting cloud logs permanently
D) Modifying user email accounts
β
Answer: A) Exploiting misconfigured cloud storage permissions
π‘ Explanation: Attackers can execute malicious scripts in cloud environments without writing files to storage disks.
173. How does JavaScript contribute to fileless malware execution?
A) It runs malicious scripts directly in a userβs browser memory
B) It disables antivirus software
C) It modifies network routing tables
D) It forces the user to reset their password
β
Answer: A) It runs malicious scripts directly in a userβs browser memory
π‘ Explanation: JavaScript-based attacks can execute fileless malware in memory via drive-by downloads.
174. What is the primary benefit for attackers using fileless malware over traditional malware?
A) It minimizes forensic artifacts on disk
B) It allows faster execution
C) It increases system storage capacity
D) It requires a specific Windows version
β
Answer: A) It minimizes forensic artifacts on disk
π‘ Explanation: Since fileless malware operates in RAM, it leaves little evidence for forensic investigators.
175. How can organizations prevent exploitation of Windows Management Instrumentation (WMI) by fileless malware?
A) By monitoring and restricting WMI usage
B) By allowing all scripts to run automatically
C) By enabling automatic software updates only
D) By increasing disk read/write speeds
β
Answer: A) By monitoring and restricting WMI usage
π‘ Explanation: Controlling WMI usage helps prevent attackers from using it for fileless malware execution.
176. How does DNS tunneling contribute to fileless malware attacks?
A) It allows command and control (C2) communication through DNS queries
B) It modifies local DNS records permanently
C) It encrypts all user passwords
D) It creates fake DNS servers
β
Answer: A) It allows command and control (C2) communication through DNS queries
π‘ Explanation: DNS tunneling enables attackers to send commands to and receive data from compromised systems stealthily.
177. How does code injection help fileless malware remain stealthy?
A) It runs malicious code inside legitimate processes
B) It modifies BIOS firmware
C) It encrypts Windows log files
D) It deletes registry settings
β
Answer: A) It runs malicious code inside legitimate processes
π‘ Explanation: Code injection techniques like DLL injection and process hollowing help fileless malware evade detection.
178. What is an effective countermeasure against JavaScript-based fileless malware?
A) Disabling unnecessary browser scripts
B) Allowing unrestricted remote connections
C) Using outdated security policies
D) Enabling pop-up ads
β
Answer: A) Disabling unnecessary browser scripts
π‘ Explanation: Blocking unnecessary JavaScript execution can reduce exposure to browser-based fileless attacks.
179. How does Windows Defender ATP (Advanced Threat Protection) help in detecting fileless malware?
A) By analyzing system behavior and detecting anomalies
B) By blocking all PowerShell commands
C) By disabling all system processes
D) By encrypting hard drives
β
Answer: A) By analyzing system behavior and detecting anomalies
π‘ Explanation: Windows Defender ATP uses behavioral analysis to detect fileless malware execution.
180. What is the key reason Advanced Persistent Threat (APT) groups favor fileless malware?
A) It provides stealthy, long-term access to systems
B) It requires minimal CPU power
C) It forces users to reset passwords
D) It spreads exclusively through USB devices
β
Answer: A) It provides stealthy, long-term access to systems
π‘ Explanation: APT groups use fileless malware to maintain persistence while avoiding detection.
181. Which Windows binary is frequently abused in fileless malware attacks to execute remote scripts?
A) mshta.exe
B) cmd.exe
C) taskmgr.exe
D) explorer.exe
β
Answer: A) mshta.exe
π‘ Explanation: mshta.exe is a legitimate Windows tool that executes HTML applications, but attackers abuse it to run malicious JavaScript or VBScript files in memory.
182. What is one of the primary challenges in detecting fileless malware?
A) It does not leave traditional file-based indicators
B) It always requires physical access
C) It only works on older Windows versions
D) It disables all user accounts
β
Answer: A) It does not leave traditional file-based indicators
π‘ Explanation: Since fileless malware executes in memory, traditional file-scanning antivirus tools struggle to detect it.
183. How does process doppelgΓ€nging help fileless malware evade detection?
A) It replaces a legitimate process with a malicious one without being noticed
B) It corrupts system drivers
C) It modifies hardware configurations
D) It forces the system to reboot
β
Answer: A) It replaces a legitimate process with a malicious one without being noticed
π‘ Explanation: Process doppelgΓ€nging exploits NTFS transaction features to load a malicious process while appearing legitimate.
184. How can organizations mitigate the risk of fileless malware?
A) Implementing endpoint detection and response (EDR) solutions
B) Disabling automatic screen brightness adjustment
C) Allowing all scripts to execute without logging
D) Removing all firewall rules
β
Answer: A) Implementing endpoint detection and response (EDR) solutions
π‘ Explanation: EDR solutions analyze system behavior to detect anomalies, which helps identify fileless malware attacks.
185. What is one way attackers use rundll32.exe in fileless malware attacks?
A) To execute malicious DLLs in memory without writing them to disk
B) To corrupt Windows Defender settings
C) To disable user account control (UAC)
D) To create duplicate system logs
β
Answer: A) To execute malicious DLLs in memory without writing them to disk
π‘ Explanation: rundll32.exe is a legitimate Windows tool that attackers exploit to load and execute DLLs in memory.
186. Why is PowerShell a favorite tool for attackers deploying fileless malware?
A) It allows script execution directly in memory
B) It automatically disables firewalls
C) It forces system reboots
D) It cannot execute remote commands
β
Answer: A) It allows script execution directly in memory
π‘ Explanation: PowerShell enables attackers to execute scripts in memory, making it a preferred tool for fileless malware.
187. What type of network traffic pattern might indicate a fileless malware infection?
A) Unusual outbound DNS queries to unknown domains
B) Consistently high bandwidth usage for video streaming
C) A sudden increase in printer spooler activity
D) Repeated failed login attempts
β
Answer: A) Unusual outbound DNS queries to unknown domains
π‘ Explanation: Fileless malware often communicates with command-and-control (C2) servers using DNS tunneling or other stealthy methods.
188. What is a common post-exploitation goal of fileless malware?
A) Establishing persistence for long-term system access
B) Overwriting the master boot record (MBR)
C) Deleting all user accounts
D) Encrypting the entire operating system
β
Answer: A) Establishing persistence for long-term system access
π‘ Explanation: Fileless malware is often used to create persistent backdoors without leaving traces on disk.
189. Which type of attack technique allows fileless malware to execute by hijacking Windows Management Instrumentation (WMI)?
A) WMI Event Subscription
B) Brute-force attack
C) SQL injection
D) Port scanning
β
Answer: A) WMI Event Subscription
π‘ Explanation: Attackers use WMI event subscriptions to execute scripts when specific system events occur.
190. Why do Advanced Persistent Threat (APT) groups favor fileless malware?
A) It allows them to maintain stealthy access without creating files
B) It automatically spreads via email attachments
C) It works only on outdated operating systems
D) It is easier to remove than traditional malware
β
Answer: A) It allows them to maintain stealthy access without creating files
π‘ Explanation: APT groups use fileless malware to avoid detection and maintain long-term access.
191. What technique allows fileless malware to execute malicious scripts remotely?
A) PowerShell Remoting
B) Bluetooth pairing
C) Physical keystroke injection
D) BIOS flashing
β
Answer: A) PowerShell Remoting
π‘ Explanation: PowerShell Remoting enables attackers to execute commands on remote systems without writing files.
192. What makes fileless malware an effective tool for cyber espionage?
A) It operates stealthily without leaving file-based artifacts
B) It spreads faster than traditional malware
C) It automatically installs new applications
D) It only works on Windows 7
β
Answer: A) It operates stealthily without leaving file-based artifacts
π‘ Explanation: Fileless malwareβs ability to evade traditional security solutions makes it ideal for espionage.
193. What is one way organizations can prevent macro-based fileless malware attacks?
A) Disabling macros in Microsoft Office documents
B) Blocking all internet access
C) Running all scripts as administrator
D) Disabling all Windows services
β
Answer: A) Disabling macros in Microsoft Office documents
π‘ Explanation: Macros are a common entry point for fileless malware, so disabling them reduces risk.
194. What component of Windows logs suspicious script execution activity?
A) Windows Event Log
B) Task Manager
C) File Explorer
D) Control Panel
β
Answer: A) Windows Event Log
π‘ Explanation: Windows Event Log tracks script execution and can reveal suspicious activity.
195. How does fileless malware evade detection in cloud environments?
A) By executing in virtual machines and temporary containers
B) By disabling multi-factor authentication
C) By modifying encryption algorithms
D) By blocking firewall rules
β
Answer: A) By executing in virtual machines and temporary containers
π‘ Explanation: Fileless malware can execute in ephemeral cloud environments, making forensic analysis difficult.
196. How can fileless malware abuse Windows Remote Management (WinRM)?
A) By executing remote PowerShell commands without leaving traces
B) By modifying hard drive partitions
C) By blocking user logins
D) By disabling the Windows firewall
β
Answer: A) By executing remote PowerShell commands without leaving traces
π‘ Explanation: WinRM allows attackers to execute commands remotely, making it a popular method for fileless attacks.
197. What is one way to monitor for fileless malware activity in an enterprise network?
A) Analyzing network traffic for unusual script execution
B) Running weekly antivirus scans
C) Disabling all Windows updates
D) Allowing all macros in Office documents
β
Answer: A) Analyzing network traffic for unusual script execution
π‘ Explanation: Network traffic analysis can reveal anomalies like command-and-control (C2) communication.
198. Which security feature helps block fileless malware from executing untrusted scripts?
A) AppLocker
B) Disk Defragmenter
C) Print Spooler
D) Windows Media Player
β
Answer: A) AppLocker
π‘ Explanation: AppLocker prevents unauthorized scripts from executing, reducing the risk of fileless malware attacks.
199. What makes detecting fileless malware difficult for traditional antivirus solutions?
A) It does not rely on disk-based files
B) It modifies the BIOS firmware
C) It only infects Linux systems
D) It spreads exclusively through USB drives
β
Answer: A) It does not rely on disk-based files
π‘ Explanation: Traditional antivirus tools rely on file-based detection, making them ineffective against fileless malware.
200. How does behavioral analysis help detect fileless malware?
A) By identifying suspicious execution patterns and system anomalies
B) By scanning files for known malware signatures
C) By increasing disk write speeds
D) By blocking all USB devices
β
Answer: A) By identifying suspicious execution patterns and system anomalies
π‘ Explanation: Behavioral analysis helps detect anomalies that indicate fileless malware execution.