Maintaining Access Practice

Explore persistence, lateral movement, and staying in control of compromised assets in a controlled way.

1. Question

Which action BEST represents maintaining access after an initial compromise?

Collecting public OSINT on the targetInstalling a persistent backdoor that survives rebootsPerforming a WHOIS lookup on the domainSubmitting the final report to the client

2. Question

In a controlled engagement, why might a tester avoid deploying advanced rootkits for persistence?

Rootkits are never used in real-world attacksRootkits cannot be detected by any defense toolsThey carry high risk of system instability and are rarely necessary to prove impactThey provide no security value to the client

3. Question

Which of the following is a SAFE and ETHICAL way to demonstrate maintaining access?

Creating a new local admin user with a clearly tagged test account nameModifying existing production user accounts without noticeDisabling antivirus to avoid interferenceEncrypting critical data to show it could be ransomed

4. Question

Why is it important to coordinate with the client before leaving any persistent access mechanisms in place during testing?

To ensure that persistence cannot be detectedTo align with change management and avoid unexpected incidentsTo bypass all security monitoring entirelyTo avoid documenting the technique in the report

5. Question

Lateral movement between systems after initial compromise is MOST closely associated with:

ReconnaissanceReportingMaintaining and expanding accessCovering tracks

6. Question

Which of the following BEST illustrates a 'command and control' (C2) channel?

A static HTML page used for phishingAn encrypted channel that lets an attacker issue commands to compromised hostsA SIEM dashboard used by defendersA VPN connection used by employees

7. Question

In a red team style assessment, why might an operator prefer 'living off the land' techniques?

They rely on obvious malware that is easy to detectThey avoid using any tools on the target systemThey abuse built-in tools to reduce new artifacts and blend with normal activityThey guarantee root access on all systems

8. Question

From a defensive perspective, which log data is MOST likely to reveal attempts at maintaining access?

Changes to scheduled tasks and servicesStatic HTML content access logsPublic DNS zone transfersSpam filter statistics

9. Question

During a pentest, when should any persistent access you have established be removed?

Only if the client explicitly asksAs soon as you achieve domain adminBefore or at the end of the engagement, according to the agreed processNever; it may be useful for future tests

10. Question

Which of the following is the BEST reason to demonstrate maintaining access in a report?

To show that you can remain undetected indefinitelyTo help the client understand the potential business impact over timeTo justify using the same persistence on other clientsTo avoid recommending defensive improvements

Score: 0.0 / 10 (0 of 10 correct)