CompTIA PenTest+ Domain 5: Post-exploitation and Lateral Movement

Abusing the Windows Task Scheduler lets the payload run at startup or on a recurring schedule for persistence, surviving reboots while resembling legitimate administrative task activity.

• APass-the-hash authenticates to another system using a stolen hash to move laterally; it does not schedule recurring local execution that keeps a foothold alive across reboots.
• CARP poisoning redirects traffic for an on-path interception attack; it neither stores a recurring execution trigger nor maintains the team's foothold after the host reboots.
• DWiping the Security event log is an anti-forensic indicator-removal step that hides activity; it does nothing to re-execute the payload or keep access after a reboot.

Windows services start at boot to perform background functions and execute under SYSTEM, so installing a new service repeatedly runs the payload at startup without any logon.

• ACron is a Linux scheduling facility and is not present on a Windows server; it cannot register the boot-time background execution the Windows scenario specifically requires.
• BAn HKEY_CURRENT_USER run key fires only when that user interactively logs in and runs in the user's context, not automatically at boot without any logon.
• DPass-the-ticket reuses a Kerberos ticket to authenticate to another host for lateral movement; it provides no startup trigger that re-executes the payload on this server.

Adding an entry to a Registry run key causes the referenced program to execute when the user logs in, running under that user's context and associated permissions level.

• APass-the-hash uses a captured NTLM hash to authenticate to other systems; it is a lateral-movement technique and adds no autostart reference that relaunches the tool at user logon.
• BA driver loaded as a service runs at boot in the SYSTEM context, not as a per-user logon entry referenced from a user's registry run location, so it mismatches the scenario.
• CTimestomping alters a file's timestamps to evade forensic review; it hides the file but creates no autostart entry that causes the tool to run at the user's next logon.

Creating an account establishes secondary credentialed access that does not require persistent remote-access tools to remain deployed, and such accounts may be made on the local system or within a domain.

• BSending stolen data out over the command-and-control channel is an exfiltration activity; it demonstrates data theft but does not establish a credential the tester can log in with later.
• CEncapsulating RDP within SSH is protocol tunneling used to pivot toward unreachable hosts; it routes traffic but creates no standing account that maintains access to the environment.
• DMapping domain trust relationships is a discovery activity that reveals attack paths; gathering that information does not by itself create any durable means of regaining access.

Pass-the-hash authenticates as a user with a stolen password hash without the cleartext password, moving directly into the part of authentication that uses the hash to move laterally.

• APass-the-ticket authenticates by reusing a stolen Kerberos ticket, not an NTLM hash; the scenario specifically authenticates with the captured password hash, which is a different mechanism.
• BKerberoasting requests service tickets and cracks them offline to recover service-account passwords; it does not authenticate directly with an already-captured NTLM hash as described.
• DA golden ticket forges a Kerberos TGT using the krbtgt account hash for domain-wide access; that is broader and distinct from simply replaying one user's NTLM hash to authenticate.

Pass-the-ticket authenticates to a system using stolen Kerberos tickets without having access to the account's password, exactly the ticket-injection behavior described for lateral movement.

• APass-the-hash authenticates with a captured NTLM password hash, whereas the scenario reuses an extracted Kerberos ticket; the two techniques rely on different stolen authentication material.
• CAn SMB relay forwards a victim's live authentication attempt to another server in real time; it does not inject a previously extracted Kerberos ticket into a new session.
• DCredential stuffing replays breached username and password pairs against login forms; it depends on knowing passwords, which contradicts authenticating purely from a stolen Kerberos ticket.

Using valid accounts to interact with a remote share over Server Message Block lets the tester act as the logged-on user and move laterally throughout the network, as described.

• AA DNS zone transfer pulls a domain's records to enumerate hosts during reconnaissance; it neither authenticates to a remote share nor copies and executes a payload to move laterally.
• BTimestomping changes a file's timestamps to evade forensic analysis; it is an indicator-removal step and has nothing to do with authenticating over SMB to reach another host.
• CKerberoasting harvests and cracks service tickets to recover credentials; it gathers passwords rather than using existing admin rights to connect over an SMB administrative share.

Protocol tunneling encapsulates communications within a separate protocol to bypass network filtering and route packets to otherwise-unreachable systems, which is exactly the SSH-encapsulated pivot described.

• BPass-the-hash authenticates to a host with a stolen hash; it grants access to a system but does not encapsulate traffic to route into an unreachable subnet past network filters.
• CClearing event logs is an anti-forensic step that hides activity; it provides no network path or encapsulation that would let the tester reach the otherwise-unreachable internal subnet.
• DA scheduled task re-executes a payload on a trigger for persistence; it keeps a foothold but does not tunnel or route traffic to systems the tester cannot otherwise reach.

When only user-level access was obtained, the testers seek to gain complete control of the system, escalating to administrator or SYSTEM-level permissions, exactly the higher-rights step described.

• ALateral movement carries access sideways to a different system on the network; the scenario instead seeks higher permissions on the same already-compromised host, which is a different objective.
• CExfiltration simulation tests moving stolen data out of the network; it follows gaining control and demonstrating access, rather than being the act of elevating from user to administrator.
• DIndicator removal and cleanup happen to hide or undo activity near the end of work; they do nothing to raise the tester's privileges from user to administrator on the host.

Stealing data over a different protocol than the C2 channel, such as FTP, SMTP, or DNS, is exfiltration over an alternative protocol, matching the controls test the tester performs.

• APass-the-ticket reuses a Kerberos ticket to authenticate to another host; it concerns moving laterally and has nothing to do with measuring whether data leaves over an alternate protocol.
• BExfiltration over C2 sends data through the same protocol as command and control; the scenario deliberately uses a different protocol than the C2 channel, so this option is the opposite case.
• CA scheduled task re-executes code on a trigger to maintain a foothold; it keeps access but does not move staged data out to test the client's data-loss prevention controls.

Listing other systems by IP address or hostname for use in lateral movement, using utilities such as ping and net view, is precisely remote system discovery from the current host.

• BPass-the-hash authenticates to a system with a stolen hash; it is how a tester accesses a discovered host, not the enumeration step that builds the list of candidate targets.
• CClearing logs removes evidence of activity near the end of an engagement; it produces no inventory of other reachable systems and is unrelated to enumerating internal hosts.
• DA registry run key relaunches a tool at user logon to maintain access; it keeps a foothold rather than enumerating additional hosts by IP address and hostname on the network.

BloodHound uses graph theory to reveal hidden, often unintended relationships in Active Directory, letting attackers and defenders identify complex privilege attack paths that are otherwise hard to find.

• AWireshark captures and inspects network packets for traffic analysis; it does not model Active Directory group, session, and ACL relationships or compute privilege paths toward Domain Admin.
• BNessus identifies and ranks host and service vulnerabilities; it reports missing patches and misconfigurations but does not graph the directory's relationships into a shortest attack path.
• DHydra performs online password guessing against network login services; it tries credentials against a target rather than mapping directory relationships into a graph of attack paths.

Clearing Windows Event Logs, which record a computer's alerts and notifications, hides the activity of an intrusion and can be performed with utilities such as wevtutil, as described.

• ADomain trust discovery enumerates trust relationships to find lateral-movement paths; it gathers information rather than wiping the host's record of alerts to conceal the intrusion.
• BPass-the-hash authenticates to other systems with a stolen hash to move laterally; it does not erase the Windows event record that documents alerts and notifications on the host.
• CProtocol tunneling encapsulates traffic to reach unreachable systems or hide command and control; it routes communications rather than clearing the host's stored event records to hide activity.

PTES requires that all modifications be documented and, after their purpose is served, settings be returned to their original positions, with the change list given to the client to verify cleanup.

• BLeaving configuration changes in place leaves the client exposed to risk the test introduced and contradicts the requirement to restore settings to their original positions where possible.
• CPTES states logs should not be removed, cleared, or modified unless specifically authorized; deleting them destroys client evidence and is not part of legitimate post-engagement cleanup.
• DAccounts created to access compromised systems should be removed during cleanup, not transferred to the client; handing them over leaves an unnecessary credential and unfinished restoration.

Timestomping modifies a file's modify, access, create, and change times, often to mimic files in the same folder and blend a malicious file with legitimate ones to evade investigators.

• ACredential dumping extracts hashes or passwords from a system to enable further access; it harvests authentication material rather than altering a file's timestamps to evade forensic review.
• CPass-the-ticket reuses a stolen Kerberos ticket to authenticate to another host for lateral movement; it does not change file timestamps to disguise a payload from forensic analysis.
• DRemote system discovery enumerates other hosts by IP address and hostname to find targets; it builds a target list rather than altering a file's timestamps to avoid detection.

PTES keeps a detailed, timed list of actions for the report appendix, and NIST guidance translates findings into actionable mitigation, which together form the report's narrative and remediation deliverable.

• ARules of engagement set constraints and authority before testing begins; they are agreed up front and are not the post-engagement narrative of actions taken plus remediation guidance.
• BA raw scanner export lists detected findings without the timestamped attack narrative or translated, prioritized remediation guidance that a penetration test report is expected to provide.
• DThe statement of work defines deliverables, hours, and price before the engagement; it is a commercial contract artifact, not the documented attack narrative with remediation recommendations.