PT0-003 Question #189: Real Exam Question with Answer & Explanation

Question

During an assessment, a penetration tester gains access to one of the internal hosts. Given the following command: schtasks /create /tn "Windows Update" /sc onlogon /tr "cmd.exe /c update.exe" Which of the following is the penetration tester trying to do with this code?

Options

• AEnumerate the scheduled tasks
• BEstablish persistence
• CDeactivate the Windows Update functionality
• DCreate a binary application for Windows System Updates

Explanation

Explanation

Option B is correct because the schtasks /create command is creating a scheduled task named "Windows Update" that executes cmd.exe /c update.exe every time a user logs on (/sc onlogon), which is a classic persistence technique - ensuring malicious code (update.exe) runs automatically after a reboot or new login, even if the initial access vector is closed.

Why the distractors are wrong:

• A (Enumerate) is incorrect because enumeration would use schtasks /query to list existing tasks, not /create to make new ones.
• C (Deactivate Windows Update) is wrong; the task name "Windows Update" is simply camouflage to blend in with legitimate system processes - the command doesn't disable anything.
• D (Create a binary application) is incorrect because schtasks only creates scheduling entries, not compiled binaries or applications.

💡 Memory Tip: Think "persistence = survive a reboot." Whenever you see a scheduled task, registry run key, or startup entry being created by a tester, ask yourself: "Does this survive a system restart?" If yes, it's persistence. The deceptive naming ("Windows Update") is a bonus hint toward defense evasion, but the primary goal here is persistence.

No community discussion yet for this question.