PT0-001 · Question #185
During a penetration test a tester Identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?
The correct answer is B. Modified daemons. Modifying existing system daemons is the most AV-evasive persistence technique because it leverages trusted, pre-existing processes rather than introducing new suspicious executables that antivirus would scan.
Question
During a penetration test a tester Identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?
Options
- AShell binary placed in C:\windowsttemp
- BModified daemons
- CNew user creation
- DBackdoored executaWes
How the community answered
(51 responses)- A12% (6)
- B63% (32)
- C20% (10)
- D6% (3)
Why each option
Modifying existing system daemons is the most AV-evasive persistence technique because it leverages trusted, pre-existing processes rather than introducing new suspicious executables that antivirus would scan.
Shell binaries placed in C:\Windows\Temp are immediately suspicious because antivirus tools actively monitor temporary directories for executable files and would flag them on the next scan.
Traditional antivirus relies heavily on signature-based detection of new or modified files, and embedding persistence within existing system daemons means the malicious code runs inside processes the OS and AV already treat as trusted. Because no new binary is dropped and the daemon appears legitimate to the operating system, this technique bypasses the file-based and heuristic detection methods used by conventional antivirus software.
New user account creation is highly visible in system event logs and security monitoring tools, making it easily detectable by defenders and irrelevant to antivirus evasion.
Backdoored executables introduce modified binaries with altered code or behavioral patterns that are likely to trigger signature-based or heuristic antivirus detection.
Concept tested: AV-evasive post-exploitation persistence using modified daemons
Source: https://attack.mitre.org/techniques/T1543/
Topics
Community Discussion
No community discussion yet for this question.