A penetration tester is in the final phase of an engagement and needs to remove all artifacts from a compromised Windows server. For persistence, a malicious service named TrueSystemMonitor was installed. The tester has already stopped the active process. To ensure this persistence mechanism is fully eradicated and will not launch again upon system restart, which of the following commands should the tester execute next?
The sc.exe delete command is the most effective tool for completely removing a service entry from the Windows Service Control Manager database, which fully eradicates the persistence mechanism. Simply killing the process with taskkill is temporary, as the service will start again on reboot. Using reg add to disable the service (startup type 4) is a valid but incomplete step, as it leaves the service configuration intact. Deleting the executable file without removing the service registration will cause errors on startup and leaves behind system artifacts.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the sc.exe command in Windows?
Open an interactive chat with Bash
How does persistence work through Windows services?
Open an interactive chat with Bash
What are the differences between disabling a service and deleting a service?