Module 5

Question 1

What is the primary goal of the ‘Persistence’ tactic [TA0003] in a cyber attack?

Answer 1

To maintain access to a compromised system across reboots and other interruptions.

Question 2

Adversaries use persistence because they may not be able to reliably regain a foothold via their _____.

Answer 2

initial access technique

Question 3

The persistence technique involving ‘Registry Run Keys & Startup Folder’ is identified by which MITRE ATT&CK ID?

Answer 3

T1547.001

Question 4

The persistence technique involving ‘Logon Scripts’ is identified by which MITRE ATT&CK ID?

Answer 4

T1037.001

Question 5

The persistence technique involving the ‘PowerShell Profile’ is identified by which MITRE ATT&CK ID?

Answer 5

T1546.013

Question 6

The persistence technique involving ‘Scheduled Tasks’ is identified by which MITRE ATT&CK ID?

Answer 6

T1053.005

Question 7

The persistence technique involving ‘Component Object Model Hijacking’ is identified by which MITRE ATT&CK ID?

Answer 7

T1546.015

Question 8

The collection of techniques where an adversary configures a computer to automatically execute a payload during startup or logon is known as _____.

Answer 8

Boot or Logon Autostart Execution [T1547]

Question 9

Which Windows Registry key allows a program to run every time a user logs in and remains after execution?

Answer 9

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Question 10

Which Windows Registry key allows a program to run once when a user logs in and is then automatically deleted?

Answer 10

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Question 11

What is the syntax of the reg_set command used to create a registry value?

Answer 11

reg_set <host:optional> <hive> <key> <value> <type> <data></data></type></value></key></hive></host:optional>

Question 12

In the example reg_set HKCU ... Updater REG_EXPAND_SZ ..., what does ‘Updater’ represent?

Answer 12

The name of the new registry value being created.

Question 13

Which command is used to read back a registry key’s value to confirm it was set correctly?

Answer 13

reg_query

Question 14

Which command is used to remove a registry key or value when it’s no longer required?

Answer 14

reg_delete

Question 15

What is the full path to the user’s Startup folder, which can be used for persistence?

Answer 15

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Question 16

How does an adversary establish persistence using the Startup folder?

Answer 16

By uploading or placing an executable file into the directory.

Question 17

Which registry key contains a user’s environment variables and can be abused for logon script persistence?

Answer 17

HKCU\Environment

Question 18

An adversary can set the _____ value in the HKCU\Environment key to point to a program that will execute on logon.

Answer 18

UserInitMprLogonScript

Question 19

What is the name of the PowerShell script that executes when new PowerShell windows are opened by a user?

Answer 19

profile.ps1

Question 20

What is a legitimate use for a PowerShell profile?

Answer 20

To customize the appearance and behavior of PowerShell sessions.

Question 21

What is the example path given for a user’s PowerShell profile?

Answer 21

$HOME\Documents\WindowsPowerShell\Profile.ps1

Question 22

Why is it important for an adversary to avoid putting blocking code directly into a PowerShell profile?

Answer 22

Because the user will not be presented with an input prompt until the profile script has finished executing.

Question 23

Which PowerShell cmdlet can be used as a workaround to execute a payload from a profile without blocking the user’s prompt?

Answer 23

Start-Job

Question 24

What is a common trigger for a legitimate scheduled task?

Answer 24

A specific time, computer idle, system start, user logon, or a system event.

Question 25

In what format are Windows scheduled tasks defined at their core?

Answer 25

XML

Question 26

Which BOF command can create a scheduled task from a given XML task definition?

Answer 26

schtaskscreate

Question 27

In a task's XML definition, what does the `` element specify?

Answer 27

It specifies that the task should run when a user logs on.

Question 28

In a task's XML definition, what does the `` element inside `` specify?

Answer 28

It specifies the command or program to be executed by the task.

Question 29

When using the `schtaskscreate` command, the task name provided must start with what character?

Answer 29

A backslash (\).

Question 30

What command is used to delete a scheduled task created for persistence?

Answer 30

schtasksdelete

Question 31

What is the primary purpose of the Component Object Model (COM) standard?

Answer 31

To provide an interoperability standard so applications in different languages can reuse the same software libraries.

Question 32

In COM nomenclature, what is a 'component' or 'COM object'?

Answer 32

An interface and its associated implementation (the actual working code).

Question 33

What is a CLSID in the context of COM?

Answer 33

A unique identifier (a GUID) used to track every COM object in the registry.

Question 34

The `InProcServer32` key under a CLSID entry points to the path of a _____ that provides the COM functionality.

Answer 34

DLL

Question 35

The `LocalServer32` key under a CLSID entry points to the path of an _____ that provides the COM functionality.

Answer 35

EXE

Question 36

What is the core concept of COM hijacking?

Answer 36

An adversary changes or leverages a COM entry to trick an application into loading their malicious code instead of the intended object.

Question 37

For standard user processes, which registry hive's COM entries take priority: HKLM or HKCU?

Answer 37

HKCU (HKEY_CURRENT_USER)

Question 38

What is one common way a COM reference can be hijacked by a standard user?

Answer 38

By creating an entry in the HKCU hive for a CLSID that is only defined in the HKLM hive.

Question 39

What is another opportunity for COM hijacking related to file paths?

Answer 39

When a COM entry points to a DLL or EXE that doesn't exist on disk, and the location is writable by standard users.

Question 40

What Sysinternals tool is excellent for finding COM hijacking opportunities by displaying real-time registry access?

Answer 40

Process Monitor (procmon)

Question 41

In `procmon`, what 'Operation' should be filtered for to find COM hijacking opportunities?

Answer 41

RegOpenKey

Question 42

In `procmon`, what 'Result' should be filtered for to find processes trying to load non-existent COM objects?

Answer 42

NAME NOT FOUND

Question 43

In `procmon`, the 'Path' filter should contain what two key names when searching for COM hijacks?

Answer 43

InprocServer32 or LocalServer32

Question 44

Why would an adversary export `procmon` results and perform frequency analysis?

Answer 44

To find a COM object that is loaded a modest number of times, avoiding system instability.

Question 45

In the provided COM hijacking example, which process loads the targeted COM object?

Answer 45

DllHost.exe

Question 46

What PowerShell command is used to create a new registry key?

Answer 46

New-Item

Question 47

What PowerShell command is used to set a property (like 'ThreadingModel') on an existing registry key?

Answer 47

New-ItemProperty

Question 48

In the COM hijacking example, what user action triggers DllHost.exe to load the hijacked COM object?

Answer 48

Logging out and then logging back in.

Question 49

A COM entry in `HKEY_CLASSES_ROOT` is a merged view of entries from `HKEY_LOCAL_MACHINE\Software\Classes` and _____.

Answer 49

HKEY_CURRENT_USER\Software\Classes

Question 50

What are the two most important criteria for an adversary when selecting a COM object to hijack?

Answer 50

It shouldn't break software and shouldn't be loaded so frequently that it makes the system inoperable.