{ "query": "Which Windows persistence mechanism is established by adding a value to HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run that launches C:\\Windows\\Temp\\agent.bat at logon?", "options": [ { "text": "Scheduled task", "explanation": "A scheduled task runs programs on a schedule or in response to system events and can be used for persistence.", "correct": false, "selected": false }, { "text": "Registry Run key startup", "explanation": "Adding values to the Run registry keys causes programs to start at user logon and is a common persistence method.", "correct": true, "selected": false }, { "text": "Windows service", "explanation": "A Windows service runs in the background with system privileges and can be set to start automatically for persistence.", "correct": false, "selected": false } ], "answer": "

Registry Run key startup is correct. Adding a value under HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run causes the specified program to be launched at user logon and it represents the common Run key persistence mechanism.

The Run key under HKLM runs entries for all users and any executable or script referenced there, such as C:\\\\Windows\\\\Temp\\\\agent.bat, will be executed at each logon until the registry value is removed. This behavior makes the Run key a simple and persistent way to start programs at logon.

Scheduled task is incorrect because scheduled tasks are created and managed in Task Scheduler and they are stored and invoked through the Task Scheduler infrastructure rather than by adding values to the Run registry key. A scheduled task can be configured to run at logon, but that is a different mechanism than placing a value under the Run path.

Windows service is incorrect because services must be installed and registered with the Service Control Manager and their configuration is recorded under HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services. Adding a value to the Run key does not create or register a service and services have different lifecycle and privilege semantics than Run key entries.

", "batch_id": "1436", "answerCode": "2", "type": "multiple-choice", "originalQuery": "Matt is conducting a penetration test against Dion Training's network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Matt enters the following command into the terminal: -=-=-=-=-=-=- reg add HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v beacon /d C: \\Windows\\Temp\\beacon.bat -=-=-=-=-=-=- Which of the following types of persistence is Matt trying to utilize?", "originalOptions": "A. Services
B. Scheduled task
C. Registry startup
D. PS remoting", "domain": "Reconnaissance Techniques for Ethical Hacking", "hasImage": false, "queryImage": "", "queryImages": [], "allImages": [], "hasAnyImage": false, "deprecatedReference": false, "deprecatedMatches": {}, "hasPre": false, "qid": "1127s", "tip": "

When you see HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run recognize it as a Run key that launches programs at user logon and contrast that with Task Scheduler entries or installed services when answering persistence questions.

", "references": [ "https://learn.microsoft.com/en-us/windows/win32/setup/registry-run-keys", "https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page", "https://learn.microsoft.com/en-us/windows/win32/services/services" ], "video_url": "https://certificationation.com/videos/others/eccouncil/ethical-hacker/eccouncil-test-against-dion-training-s-network-exam-1127.html", "url": "https://certificationation.com/questions/others/eccouncil/ethical-hacker/eccouncil-test-against-dion-training-s-network-exam-1127.html" }