nerdexam
CompTIA

PT0-001 · Question #185

During a penetration test a tester Identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

The correct answer is B. Modified daemons. Modifying existing system daemons is the most AV-evasive persistence technique because it leverages trusted, pre-existing processes rather than introducing new suspicious executables that antivirus would scan.

Post-exploitation and lateral movement

Question

During a penetration test a tester Identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

Options

  • AShell binary placed in C:\windowsttemp
  • BModified daemons
  • CNew user creation
  • DBackdoored executaWes

How the community answered

(51 responses)
  • A
    12% (6)
  • B
    63% (32)
  • C
    20% (10)
  • D
    6% (3)

Why each option

Modifying existing system daemons is the most AV-evasive persistence technique because it leverages trusted, pre-existing processes rather than introducing new suspicious executables that antivirus would scan.

AShell binary placed in C:\windowsttemp

Shell binaries placed in C:\Windows\Temp are immediately suspicious because antivirus tools actively monitor temporary directories for executable files and would flag them on the next scan.

BModified daemonsCorrect

Traditional antivirus relies heavily on signature-based detection of new or modified files, and embedding persistence within existing system daemons means the malicious code runs inside processes the OS and AV already treat as trusted. Because no new binary is dropped and the daemon appears legitimate to the operating system, this technique bypasses the file-based and heuristic detection methods used by conventional antivirus software.

CNew user creation

New user account creation is highly visible in system event logs and security monitoring tools, making it easily detectable by defenders and irrelevant to antivirus evasion.

DBackdoored executaWes

Backdoored executables introduce modified binaries with altered code or behavioral patterns that are likely to trigger signature-based or heuristic antivirus detection.

Concept tested: AV-evasive post-exploitation persistence using modified daemons

Source: https://attack.mitre.org/techniques/T1543/

Topics

#persistence#antivirus evasion#post-exploitation#daemons

Community Discussion

No community discussion yet for this question.

Full PT0-001 Practice