After establishing a shell on a target system, Joe, a penetration tester is aware that his actions have not been detected. He now wants to maintain persistent access to the machine. Which of the following methods would be MOST easily detected?
A.
Run a zero-day exploit.
B.
Create a new domain user with a known password.
C.
Modify a known boot time service to instantiate a call back.
D.
Obtain cleartext credentials of the compromised user.
agreed. C might not be easy to spot, especially if its already a known service, this would require further investigation like checking the command/executable the service is calling. This is coming from a support perspective that deals with these issues everyday. :)
Its got to be B. My company has systems in place so that ANY new domain user account created is alarmed and reviewed. The "Known" password part just means the hacker knows the password. Anyone saying "But sir, Local Account". The answer specifically states new *domain* user. Not a good question, but B is by far the easiest to detect with alerts in place.
Remeber its not saying Domain Admin, instead it says Domain User. Meaning any account with any level of privilege's. Identifying this would be difficult, especially if his shell on a target host hasnt been detected yet, pointing towards a weak blue team. With that said id say the answer is Modifying a "KNOWN" boot time service. As this is probably the only thing they would be aware of.
Domain users - anybody who has a user account and has authenticated within the domain. Their level of rights in the domain could be at any level granted to them.
Domain Administrators - Users granted "God-Like" authority within the domain to access and modify practically anything and everything.
I can see B, youre jacking with a DC if you're creating a new domain account. Likely the security team will have alerts set up on a DC to watch for new user accounts. Unless the security team has finely tuned tools, they wont capture a local machine having a modification, especially if the pentester is using an admin account. DC logs are harder to erase and easier to see than local machine
My 2cents:
Is not A for sure. Is not B because that would be stupid, think about it what is the difference between creating a new domain user with a known password vs. creating a new domain user with an unknown password???? Is not D because that makes you thing about some sort of bruteforce but you are already in, so the most that is valid to me would be C.
B. would be valid if it was like "Create a new domain user"
Hello guys! A friend of mine told me that the correct answer was D, and yes, I know, I was TF?! And he told me that you can easily detect them with a simple script, this is one of the software that he has used in the past.
https://logrhythm.com/blog/clear-text-passwords-use-case/
"Using a simple Analyze query on NetMon, you can detect clear text passwords sent over HTTP."
What are your thoughts?
B. Creation of a new user account is a tried-and-true method for retaining access to a system.
In well-managed and monitored environments, adding an account is likely to be caught and
result in an alarm, but in many environments creation of a local user account on a system
may allow ongoing access to the system, device, or application.
Question: MOST easily ***detected***
Scripting a callback (reverse shell) on reboot would be detectable through network monitoring, most SIEMs when checking for unusual but repeated outbound network connection (splunk / elk etc)
I was tending to option C but I think B is correct. C may be detectable by an AV suite, but maybe not and the use of 'boot time' would probably suggest that they want you to think root kit. Which they want you to think is difficult to detect. Option B can be spotted by good procedures and not rely on technology.
None of these are great answers. If the domain had 10 people, definitively B. In a domain with thousands of users, it would be hard to track this down unless some sort of alert was generated when a new user was created. If you just create a Steve Smith and dump him in an OU with 200 people, no one will know. C seems like the more obvious choice but maybe that was intentional to be misleading. I have no answer, merely conjecture.
But then there are no rules created on IDS/IPS/FW to detect that Zero Day attack, hence I wouldn't say that's the most detectable one. Actually Zero days go unnoticed sometimes for months at a time.
TF? It's asking which hacker's method of maintaining persistence is most easily discovered by the blue team... At first glance you want to say create an account...but with 100s of accounts, an additional J.Smith may go UN-noticed. Moreso than getting a service to call back? A truly subjective question.
yes, but if you have a system that monitors AD account creation, this would be easy. just ask the administrator if there should be a newly created account that time.
zerodays don't have patches available. The recent exchange vulnerability existed for 10 years before it was patched.
upvoted 1 times
...
...
This section is not available anymore. Please use the main Exam Page.PT0-001 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
harej8
Highly Voted 4 years, 5 months agosomeguy1393
4 years, 4 months agotester27
3 years, 10 months agolzuvblwh
Highly Voted 4 years, 6 months agonovac1111
4 years, 5 months agokloug
Most Recent 2 years, 2 months agomiabe
2 years, 9 months agoGDLY
3 years agoanonamphibian
3 years, 2 months agoanonamphibian
3 years, 2 months agoAriel235788
3 years, 6 months agourisoft
3 years, 6 months agopatinho777
3 years, 9 months agorose_y
3 years, 6 months agosmalltech
3 years, 9 months agoboyladdudeman
4 years, 1 month agoRedbyNight
4 years, 2 months agoAcidscars
4 years, 4 months agotester27
3 years, 9 months agonovac1111
4 years, 6 months agosomeguy1393
4 years, 4 months agoAcidscars
4 years, 4 months agocasandre123
3 years, 7 months agowho__cares123456789___
4 years, 3 months agotester27
3 years, 9 months agoboyladdudeman
4 years, 1 month ago