GCIH · Question #783
Which command is an indication of post-exploitation persistence?
The correct answer is B. meterpreter > execute -f "net localgroup administrators /add newadmin". Adding an account to the local administrators group via Meterpreter is a post-exploitation persistence technique that ensures continued privileged access.
Question
Which command is an indication of post-exploitation persistence?
Options
- Atype NTDS.dit > FacilitiesSupplyList.docx:NTDS.dit
- Bmeterpreter > execute -f "net localgroup administrators /add newadmin"
- Cfind/ -type d -perm -0222 2>/dev/null
- Dnet use\10.10.1.26\C$ L0ngP@55Wor) /u:administrator
How the community answered
(28 responses)- A4% (1)
- B79% (22)
- C7% (2)
- D11% (3)
Why each option
Adding an account to the local administrators group via Meterpreter is a post-exploitation persistence technique that ensures continued privileged access.
This command hides NTDS.dit inside an NTFS Alternate Data Stream, which is a data exfiltration or concealment technique, not persistence.
The meterpreter execute command runs 'net localgroup administrators /add newadmin', which creates a backdoor administrator account on the compromised host. This is a textbook post-exploitation persistence method, giving the attacker a reliable high-privilege re-entry point even if the initial exploit vector is remediated.
This find command locates world-writable directories, which is a privilege escalation or reconnaissance activity.
This net use command maps a remote network share, which is a lateral movement technique, not persistence on the current host.
Concept tested: Post-exploitation persistence via local admin account creation
Source: https://attack.mitre.org/techniques/T1136/001/
Topics
Community Discussion
No community discussion yet for this question.