nerdexam
GIAC

GCIH · Question #783

Which command is an indication of post-exploitation persistence?

The correct answer is B. meterpreter > execute -f "net localgroup administrators /add newadmin". Adding an account to the local administrators group via Meterpreter is a post-exploitation persistence technique that ensures continued privileged access.

Vulnerability Exploitation & Privilege Escalation

Question

Which command is an indication of post-exploitation persistence?

Options

  • Atype NTDS.dit > FacilitiesSupplyList.docx:NTDS.dit
  • Bmeterpreter > execute -f "net localgroup administrators /add newadmin"
  • Cfind/ -type d -perm -0222 2>/dev/null
  • Dnet use\10.10.1.26\C$ L0ngP@55Wor) /u:administrator

How the community answered

(28 responses)
  • A
    4% (1)
  • B
    79% (22)
  • C
    7% (2)
  • D
    11% (3)

Why each option

Adding an account to the local administrators group via Meterpreter is a post-exploitation persistence technique that ensures continued privileged access.

Atype NTDS.dit > FacilitiesSupplyList.docx:NTDS.dit

This command hides NTDS.dit inside an NTFS Alternate Data Stream, which is a data exfiltration or concealment technique, not persistence.

Bmeterpreter > execute -f "net localgroup administrators /add newadmin"Correct

The meterpreter execute command runs 'net localgroup administrators /add newadmin', which creates a backdoor administrator account on the compromised host. This is a textbook post-exploitation persistence method, giving the attacker a reliable high-privilege re-entry point even if the initial exploit vector is remediated.

Cfind/ -type d -perm -0222 2>/dev/null

This find command locates world-writable directories, which is a privilege escalation or reconnaissance activity.

Dnet use\\10.10.1.26\C$ L0ngP@55Wor\) /u:administrator

This net use command maps a remote network share, which is a lateral movement technique, not persistence on the current host.

Concept tested: Post-exploitation persistence via local admin account creation

Source: https://attack.mitre.org/techniques/T1136/001/

Topics

#post-exploitation#persistence#privilege escalation#meterpreter

Community Discussion

No community discussion yet for this question.

Full GCIH Practice