According to PenTest+ Practice Tests Book - SYBEX
D. - reg save saves a copy of specified subkeys, entries, and values of the registry in a specified file. A file with the .reg file extension is a registration file used by the Windows Registry. These files can contain hives, keys, and values.
What good is saving the registry entries, if you cannot restore them? If you lose your access to the system, how do you restore your access by restoring part of the registry?
I agree with you however the command from schtasks is incomplete. For the attacker to maintain persistence during logon he would need to add the /sc onlogon switch to the command:
https://rasor.wordpress.com/2013/08/12/powershell-scheduling-a-task/
For that reason, I think D would not the the best answer but the least incorrect:
https://rasor.wordpress.com/2013/08/12/powershell-scheduling-a-task/
"HKLM\System\CurrentControlSet\services
The keys located here get loaded by the Service Controller at various times during the operation of the computer. Some are loaded at system startup and others are loaded on demand or when triggered by other events. The attackers want to load at startup so that even if no user logs in they can connect to the computer."
Also, once you modify the registry you can add a dodgy service to be started at logon and maintain persistence to the device:
https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services.html
https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html
You need to have a persistent connection even if the machine is rebooted. You cannot get with a scheduled task. Most of the commands in this dump are incomplete. No surprise there.
In the Pentest+ book it says "unlike memory resident exploits, both scheduled tasks and cron jobs can survive reboots." Chapter 6 Exploit and Pivot page 200
The correct answer is either A, either D.
For A, indeed, there are errors in the command, but if it is done right (first thing is to remove the "/run"), obviously anything can be written in the PowerShell script to achieve persistence. I would say A because the intention by the n00b to achieve persistence with the A is higher than the D, thanks to the errouneous "/run" switch. The A would be the most straight foward way to accomplish.
Now the D, the problem is that saving the reg is useless. It would be better to add to the registry, and in consequence, I don't see any intention from the n00b writting the D command to want to achieve persistence, it would more be information gathering.
If we follow the logic of "correcting" the answers, the C can be also a correct answer, by adding "&& Sv.ps1", altought this wouldn't work for multiple reasons.
I would anwser A.
The answer is D PowerShell
Version 1 has only 129 Cmdlets and schtasks is not one of them
https://social.technet.microsoft.com/wiki/contents/articles/13769.powershell-1-0-cmdlets.aspx
None are correct. I assume there are some typos somewhere here, as well as missing info.
For A to be correct, the command would be: schtasks /create /tn TASKNAME /tr PATHTOFILE /sc FREQUENCY /ru USERTORUNAS.
For D to be correct, you cannot use the save command. The correct command would be: reg add "PATH-OF-REG-ENTRY" /v VALUE-TO-ADD /t REG_SZ /d "PATH_TO_EXECUTABLE_FOR_PERSISTENCE"
So I would be prepared for both of those.
in this link you will find a little more in depth info how to maintain persistence with HKLM\System\CurrentControlSet\Services just hit Ctrl f, and enter Tool Persistence in this link: https://blogs.blackberry.com/en/2013/08/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
The schtasks is not complete,
/run - this is an on demand (you would need to be on the machine to run this)
if you lost connection you would not be able to run this again
I disagree. The best answer is D. The very link you posted shows it being created as a scheduled task using the /sc and /ru parameters. In this answer, though, it's not actually created as a scheduled task. Rather, it's something to be ran immediately (hence /run).
The "spirit" of the question is to achieve persistence in the system; if you are to use the task scheduler to do this, you would want to set up a schedule to do something like a reverse shell. If you only run the powershell just once, it will no longer persist once the computer is restarted. That's why I believe the /run command eliminates answer A. For it to be viable, I think the /sc parameter should have been supplied (just like your answer.)
Answer D says "reg save" wich Saves an EXISTING registry Key to a File.
Saving something that allready exists can't provide Persistance ...
A machtes best alltough the answers is maybe incomplete ...
You're right about this, and I take back my comment. I'm gonna echo what TheThreatGuy says above: be prepared for either A or D, as it could be either.
upvoted 1 times
...
...
...
...
This section is not available anymore. Please use the main Exam Page.PT0-001 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
mr_robot
Highly Voted 5 years, 1 month agoD1960
5 years agomr_robot
5 years agomr_robot
4 years, 10 months agomr_robot
4 years, 10 months agokhuno
4 years, 10 months agobigwilly69
Highly Voted 4 years, 5 months agoMr_KiWi
3 years, 11 months agomiabe
Most Recent 2 years, 10 months agocontender
3 years, 5 months agoTreebeard88
2 years, 5 months agoGenos_Sid
3 years, 3 months agojuandante
3 years, 5 months agostaccata
3 years, 8 months agoken111
4 years, 1 month agoTheThreatGuy
4 years, 4 months agoShinigami637
3 years, 8 months agotoroloco
4 years, 6 months agoAllen2020
4 years, 6 months agoboblee
4 years, 10 months agoDaDude
5 years agoD1960
4 years, 11 months agomerdoso
5 years agophatboy
5 years, 5 months agowho__cares123456789___
4 years, 3 months agoShinigami637
3 years, 8 months agoMrRiver
3 years, 8 months agoShinigami637
3 years, 8 months ago