Which Windows feature is commonly abused by attackers for persistence?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Prepare for the Security Operations Exam with targeted practice questions. Enhance your understanding with detailed explanations and tips to successfully pass your exam!

Multiple Choice

Which Windows feature is commonly abused by attackers for persistence?

Explanation:
The key idea here is how attackers achieve persistence by abusing Windows automation features that run code without ongoing user interaction. Task Scheduler fits this role because it’s designed to launch programs automatically at startup, on user logon, or at specific times. Why this one stands out: a scheduled task can be configured to run a malicious executable or script and can be set to trigger after every reboot or at regular intervals, ensuring the malware comes back even after a user signs out or the system restarts. It can run under various user accounts and, if configured with higher privileges, can execute with elevated access. Because it’s a legitimate Windows utility used for legitimate admin tasks, malicious tasks can blend in with normal activity, making discovery harder and persistence more durable. Task Scheduler offers flexible triggers, actions, and conditions, and can be created via GUI, command line, or scripts, which makes it a readily abused persistence mechanism. For context, other options can also provide persistence—like placing a program in Run Keys, abusing WMI event subscriptions, or creating a Windows Service—but the scheduled task feature is particularly popular due to its reliability, reboot persistence, and broad accessibility for attackers.

The key idea here is how attackers achieve persistence by abusing Windows automation features that run code without ongoing user interaction. Task Scheduler fits this role because it’s designed to launch programs automatically at startup, on user logon, or at specific times.

Why this one stands out: a scheduled task can be configured to run a malicious executable or script and can be set to trigger after every reboot or at regular intervals, ensuring the malware comes back even after a user signs out or the system restarts. It can run under various user accounts and, if configured with higher privileges, can execute with elevated access. Because it’s a legitimate Windows utility used for legitimate admin tasks, malicious tasks can blend in with normal activity, making discovery harder and persistence more durable. Task Scheduler offers flexible triggers, actions, and conditions, and can be created via GUI, command line, or scripts, which makes it a readily abused persistence mechanism.

For context, other options can also provide persistence—like placing a program in Run Keys, abusing WMI event subscriptions, or creating a Windows Service—but the scheduled task feature is particularly popular due to its reliability, reboot persistence, and broad accessibility for attackers.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy