Module 6

Question 1

What is the primary goal of the ‘Initial Access’ tactic [TA0001]?

Answer 1

To gain an initial foothold within a target network.

Question 2

Besides social engineering, what are two other techniques for gaining Initial Access?

Answer 2

Exploiting public-facing services and supply-chain compromise.

Question 3

What is the most prevalent technique used for Initial Access?

Answer 3

Social engineering attacks such as phishing.

Question 4

Mariusz Banach’s phishing taxonomy is represented as DELIVERY(CONTAINER(_____ + PAYLOAD + DECOY)).

Answer 4

TRIGGER

Question 5

In the phishing taxonomy, what does the ‘Delivery’ component represent?

Answer 5

The technique used to deliver the package to the victim.

Question 6

In the phishing taxonomy, what does the ‘Container’ component represent?

Answer 6

The container format used to package the files.

Question 7

In the phishing taxonomy, what does the ‘Trigger’ component represent?

Answer 7

The means to trigger payload execution.

Question 8

In the phishing taxonomy, what does the ‘Payload’ component represent?

Answer 8

The malicious code to be executed.

Question 9

In the phishing taxonomy, what does the ‘Decoy’ component represent?

Answer 9

A file displayed to the victim to maintain the social engineering pretext.

Question 10

In the Lumma Stealer campaign example, what file type was disguised as a PDF to trick victims?

Answer 10

A Windows shortcut (.lnk) file.

Question 11

The LNK files in the Lumma Stealer campaign were weaponized to download malicious content using what Windows utility?

Answer 11

mshta

Question 12

What should the file type of a decoy be if the trigger was disguised as a PDF?

Answer 12

The decoy should also be a PDF document to continue the pretext.

Question 13

What is DLL hijacking?

Answer 13

A technique used to force a legitimate application into loading a malicious DLL by abusing the Windows DLL search order.

Question 14

In the simplified Windows DLL search order, what is the first location an application checks for a DLL?

Answer 14

The directory the application is in.

Question 15

What Process Monitor filter settings can be used to find DLL hijacking opportunities?

Answer 15

Set the path to end in ‘.dll’ and the result to be ‘NAME NOT FOUND’.

Question 16

What is DLL side-loading in the context of the Windows Component Store?

Answer 16

It is a form of DLL hijacking that leverages old, vulnerable application versions stored in C:\Windows\WinSxS.

Question 17

What is the original purpose of the Windows Component Store (WinSxS)?

Answer 17

To support side-by-side assemblies, allowing multiple versions of the same dependencies to exist on a system.

Question 18

In the ngentask.exe side-loading example, which DLL was it attempting to load from the current working directory?

Answer 18

mscorsvc.dll

Question 19

What is the purpose of using a custom AppDomainManager for .NET applications?

Answer 19

To force a .NET Framework application into loading a malicious DLL, regardless of the standard search order.

Question 20

To create a custom AppDomainManager, your class must inherit from what base class?

Answer 20

AppDomainManager

Question 21

What are the two environment variables used to load a custom AppDomainManager into a .NET application?

Answer 21

APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE.

Question 22

Besides environment variables, how else can a custom AppDomainManager be loaded into a .NET application?

Answer 22

By specifying the ‘appDomainManagerAssembly’ and ‘appDomainManagerType’ elements in a .config file.

Question 23

What file extension is used for Windows Installer packages?

Answer 23

.msi

Question 24

In a Visual Studio Setup Project for an MSI, how do you make the payload execute during installation?

Answer 24

By adding the payload file as a Custom Action in the ‘Install’ step.

Question 25

When building an MSI project in Visual Studio, which of the two output files (.exe and .msi) is essential for delivery to a victim?

Answer 25

The .msi file, as the .exe is just a wrapper.

Question 26

What is an .xlam file?

Answer 26

A macro-enabled Excel Add-In, designed to add custom functionality to Excel.

Question 27

What is a primary challenge for using macros for initial access?

Answer 27

Protected View, which disables macros in files with Mark of the Web (MotW) or from untrusted locations.

Question 28

Which user-writable directory in `%APPDATA%` will cause Excel to automatically load any workbooks or add-ins present within it?

Answer 28

The XLSTART directory (`%APPDATA%\Microsoft\Excel\XLSTART\`).

Question 29

In the VBA editor for Excel, what subroutine name is used to have code execute automatically when an add-in is loaded?

Answer 29

Auto_Open()

Question 30

What is the main benefit of using an EV (Extended Validation) code-signing certificate over a standard one?

Answer 30

An EV certificate makes the publisher identity trusted by SmartScreen, completely removing 'Unknown Publisher' warnings.

Question 31

Why is it a bad idea for a red team to sign malware with their legitimate company's code-signing certificate?

Answer 31

It reveals their identity to the victim and the certificate will likely be revoked if the malware is publicly discovered.

Question 32

What is a 'dropper' in the context of an initial access campaign?

Answer 32

A program whose purpose is to deliver another program, often to evade antivirus and complicate analysis.

Question 33

Where do most droppers get the payload they are delivering?

Answer 33

By extracting embedded resources from within their own image or downloading them from a remote server.

Question 34

In Visual Studio, what must the 'Build Action' property of a file be set to for it to be included as an embedded resource?

Answer 34

Embedded Resource.

Question 35

In a C# dropper, which method from the `Assembly` class is used to read an embedded resource?

Answer 35

GetManifestResourceStream()

Question 36

What must the name of an embedded resource be prefixed with when calling `GetManifestResourceStream`?

Answer 36

The project's namespace.

Question 37

Of the standard system locations (`Program Files`, `ProgramData`, `Windows`), which is typically writable by a standard, non-administrative user?

Answer 37

C:\ProgramData\

Question 38

What is the purpose of the GadgetToJScript (G2JS) tool?

Answer 38

To serialize a .NET assembly into a script file (like JavaScript) that can be executed by a native script host.

Question 39

In the GadgetToJScript command, what does the `-w` switch specify?

Answer 39

The type of script to output (e.g., js, vbs, vba, hta).

Question 40

In the GadgetToJScript command, what is the purpose of the `-b` switch?

Answer 40

It bypasses type check controls introduced in .NET Framework 4.8 and later.

Question 41

A complex infection chain could look like: ISO => _____ => JS => .NET DLL => EXE.

Answer 41

LNK

Question 42

What is the function of the `@echo off` directive in a Windows Batch file?

Answer 42

It prevents the commands themselves from being displayed in the command prompt as they are executed.

Question 43

In a Batch script, how can you prevent a command's output from being displayed to the user?

Answer 43

By appending `> nul 2>&1` to the end of the command.

Question 44

What anti-analysis trick for Batch files involves comparing the `%cmdcmdline%` and `%~f0` variables?

Answer 44

It checks if the script's own path is in the command line, exiting if it's not, which can defeat sandboxes that run scripts programmatically.

Question 45

What special property of the .lnk file extension makes it deceptive in Windows Explorer?

Answer 45

The .lnk extension is not shown, even when 'show file name extensions' is enabled.

Question 46

Which COM object is commonly used in PowerShell to create and modify .lnk (shortcut) files?

Answer 46

WScript.Shell

Question 47

In a PowerShell script creating a .lnk file, which property sets the program to be executed?

Answer 47

$lnk.TargetPath

Question 48

In a PowerShell script creating a .lnk file, which property sets the command-line arguments for the target program?

Answer 48

$lnk.Arguments

Question 49

The 'GrimResource' technique uses a specially crafted .msc file to exploit an XSS flaw in which Windows executable?

Answer 49

Microsoft Management Console (mmc.exe).

Question 50

What is a key advantage of the .msc 'GrimResource' technique regarding user privileges?

Answer 50

mmc.exe is an auto-elevating binary, so the payload may run with high integrity if the user is a local administrator and approves the UAC prompt.

Question 51

What is Mark of the Web (MotW)?

Answer 51

A zone identifier used by Windows to mark files downloaded from the internet as potentially unsafe.

Question 52

How can Mark of the Web (MotW) interfere with phishing payloads, especially Office documents?

Answer 52

It can cause Windows to show extra security warnings, and Office will not enable macros if MotW is present.

Question 53

Why are container formats like ISO, IMG, and ZIP good choices for initial access packages?

Answer 53

They are natively supported by Windows and can prevent the propagation of Mark of the Web to the files inside.

Question 54

What is the purpose of the `-H` parameter in the PackMyPayload tool?

Answer 54

To set the hidden attribute on specified files as they are packaged into a container.

Question 55

What is HTML smuggling?

Answer 55

A technique that encodes a malicious file within the HTML/JavaScript of a webpage to bypass content filters.

Question 56

How does HTML smuggling prevent network scanners from seeing the malicious file's content during download?

Answer 56

The file is decoded and assembled by JavaScript on the client side, so the network traffic only shows HTML/JavaScript, not the final binary file.

Question 57

In the provided HTML smuggling example, what JavaScript function is used to convert the base64 string back into binary data?

Answer 57

window.atob()

Question 58

What is SVG smuggling?

Answer 58

A technique similar to HTML smuggling that leverages the ability to embed executable JavaScript inside an SVG image file.

Question 59

In Cobalt Strike, what feature is used to host a payload file on the internal web server?

Answer 59

Site Management > Host File.

Question 60

In Cobalt Strike's site cloning feature, how is the payload download triggered when a victim visits the cloned page?

Answer 60

It embeds a hidden iframe in the page whose source URL points to the hosted payload file, causing an automatic download.