CompTIA PenTest+ (PT0-001) — Question 166

During a penetration test, a tester identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

Answer options

• A. Shell binary placed in C:\windows\temp
• B. Modified daemons
• C. New user creation
• D. Backdoored executables

Correct answer: C

Explanation

Creating a new user (option C) allows the tester to maintain access even if the original method of exploitation is discovered or mitigated by the antivirus. The other options, while they may provide some level of persistence, are more likely to be detected and removed by traditional antivirus solutions.