Module 9

Question 1

What is the primary purpose of adding a round of ‘elevated persistence’ after gaining initial privileged access?

Answer 1

To ensure that a high level of privilege can be maintained, even if the initial elevation method is patched or detected.

Question 2

According to the source, what are two specific techniques for achieving elevated persistence on Windows?

Answer 2

Scheduled Tasks and Windows Services.

Question 3

Why would an adversary use an elevated persistence method if their initial elevation method is considered ‘loud’?

Answer 3

To avoid performing the noisy initial elevation method multiple times, which could lead to detection.

Question 4

The Windows Task Scheduler can be used to execute payloads as which high-privilege account to maintain access?

Answer 4

SYSTEM (or NT AUTHORITY\SYSTEM).

Question 5

In the provided XML for a scheduled task, what does the <BootTrigger> element define?

Answer 5

It specifies that the task will be executed when the computer boots up.

Question 6

Within the scheduled task’s XML, what does the <UserId>NT AUTHORITY\SYSTEM</UserId> tag specify?

Answer 6

It sets the user context for the task to run as the SYSTEM account.

Question 7

In the task’s XML principals, what is the function of the <RunLevel>HighestAvailable</RunLevel> setting?

Answer 7

It ensures the task runs with the highest possible privileges available to the specified user.

Question 8

What is the purpose of the <Hidden>true</Hidden> setting within the scheduled task’s XML definition?

Answer 8

To hide the task from the normal Task Scheduler user interface, making it harder to discover.

Question 9

In the scheduled task example, which XML element contains the command to be executed?

Answer 9

The <Exec> element.

Question 10

What is the full path to the executable that the sample scheduled task is configured to run?

Answer 10

C:\Windows\System32\beacon_x64.exe

Question 11

An adversary uses the command schtaskscreate \Beacon XML CREATE to create a new task. What does the XML argument signify?

Answer 11

It indicates that the task’s configuration is being provided from an XML file.

Question 12

Besides scheduled tasks, an adversary can create a _____ to run a payload under the SYSTEM context when the computer boots.

Answer 12

Windows service

Question 13

What command is used in the example to create a new Windows service named ‘dbgsvc’?

Answer 13

sc_create

Question 14

In the sc_create command sc_create dbgsvc "Debug Service" C:\Windows\System32\debug_svc.exe ..., what does the binpath parameter specify?

Answer 14

It specifies the path to the service’s executable file (C:\Windows\System32\debug_svc.exe).

Question 15

What command is recommended to verify that a Windows service was created successfully?

Answer 15

sc_qc

Question 16

In the output of sc_qc dbgsvc, what does START_TYPE : 2 AUTO_START indicate?

Answer 16

It indicates that the service is configured to start automatically when the operating system boots.

Question 17

The sc_qc output shows SERVICE_START_NAME : LocalSystem. What is this equivalent to?

Answer 17

The SYSTEM account (NT AUTHORITY\SYSTEM).

Question 18

In the sc_qc output for dbgsvc, what does ERROR_CONTROL : 0 IGNORE mean?

Answer 18

It means if the service fails to start, the startup process will not be notified and will continue without logging an error.