CompTIA
PT0-001 · Question #151
PT0-001 Question #151: Real Exam Question with Answer & Explanation
The correct answer is C: Modify a known boot time service to instantiate a call back.. Modifying a known boot-time service to establish a callback is the most easily detected persistence method because security tools actively and continuously monitor changes to registered startup services.
Question
After establishing a shell on a target system, Joe, a penetration tester is aware that his actions have not been detected. He now wants to maintain persistent access to the machine. Which of the following methods would be MOST easily detected?
Options
- ARun a zero-day exploit.
- BCreate a new domain user with a known password.
- CModify a known boot time service to instantiate a call back.
- DObtain cleartext credentials of the compromised user.
Explanation
Modifying a known boot-time service to establish a callback is the most easily detected persistence method because security tools actively and continuously monitor changes to registered startup services.
Common mistakes.
- A. A zero-day exploit by definition has no existing detection signatures or behavioral baselines, making it the least likely method to trigger an alert in security monitoring tools.
- B. Creating a new domain user is auditable through Active Directory logs, but in large environments new accounts can blend in and may not be reviewed as quickly as a direct change to a monitored service.
- D. Obtaining cleartext credentials is a passive, read-only action that leaves minimal forensic artifacts and is far less likely to generate an automated security alert than modifying a service configuration.
Concept tested. Persistence technique detection risk for boot-time services
Reference. https://attack.mitre.org/techniques/T1543/
Community Discussion
No community discussion yet for this question.