Try 10 focused CompTIA PenTest+ PT0-003 questions on Post-Exploitation and Lateral Movement, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA PenTest+ PT0-003 on Web View full CompTIA PenTest+ PT0-003 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA PenTest+ PT0-003 |
| Topic area | Post-Exploitation and Lateral Movement |
| Blueprint weight | 14% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Post-Exploitation and Lateral Movement for CompTIA PenTest+ PT0-003. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 14% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, the team obtained administrative access on a file server and created a temporary test account as permitted by the rules of engagement. The account was removed, but the client canceled the retest window after applying emergency hardening. Which report entry best maps to these facts?
Options:
A. Document cleanup completed for the account, residual risk, and no retest validation.
B. Attempt an after-hours retest to confirm the hardening worked.
C. State the finding is fully remediated because emergency hardening was applied.
D. Omit cleanup details because the test account was removed.
Best answer: A
Explanation: Post-exploitation reporting should clearly distinguish what the tester changed, what was cleaned up, and what could or could not be validated. In this scenario, the temporary account cleanup can be reported as completed, but the canceled retest window prevents the tester from confirming whether the client’s emergency hardening fixed the underlying issue. The report should avoid claiming full remediation without evidence. It should also state residual risk so stakeholders understand that the original attack path may still require validation in a future retest. The key takeaway is to separate cleanup status from remediation validation.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, a tester obtains local administrator access on an in-scope workstation during the approved testing window. The rules of engagement allow privilege validation and evidence collection on listed hosts, but prohibit lateral movement into systems not named in the target list. The tester discovers cached references to a database server that is not on the target list and appears to process customer payments. What is the best professional decision?
Options:
A. Continue enumerating the database server without authentication
B. Pause activity and escalate the discovery to the engagement lead
C. Document the reference and ignore it until the final report
D. Connect to the database server to verify access
Best answer: B
Explanation: Post-exploitation actions must stay within the authorization and rules of engagement, even when new evidence suggests a valuable attack path. Here, local administrator access on the workstation may be used only for allowed validation and evidence collection on listed hosts. The referenced payment database is not named in scope, and testing it could create business impact. The professional decision is to pause any activity that would touch the out-of-scope system and escalate through the engagement lead or defined stakeholder channel for written authorization or revised scope. This preserves evidence quality and avoids unauthorized lateral movement.
Topic: Post-Exploitation and Lateral Movement
A penetration tester is closing an authorized internal assessment and must remove artifacts created during post-exploitation. Which action should occur before cleanup begins?
Exhibit: Cleanup note
ROE: Preserve evidence before removing tester-created artifacts.
Artifacts:
- temp-pentest-admin local account on WS-17
- C:\Temp\pt_marker.txt on WS-17
- scheduled task named PT-Checkin on WS-17
Report needs: proof of existence, timestamps, and cleanup status
Options:
A. Leave the artifacts in place until the final report is accepted
B. Record artifact evidence and store it with timestamps before deletion
C. Ask the system owner to remove the artifacts without tester records
D. Delete the artifacts immediately and document cleanup afterward
Best answer: B
Explanation: Evidence preservation comes before artifact removal when the rules of engagement or reporting requirements require proof. In this scenario, the tester-created account, file, and scheduled task are part of the assessment record. The tester should capture sufficient evidence, such as screenshots, command output, log excerpts, timestamps, and artifact identifiers, and store it in the approved evidence repository before deleting anything. This supports report accuracy, cleanup verification, and accountability if a stakeholder later asks what was changed. Cleanup should still happen, but only after the required evidence has been preserved.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, a tester demonstrates that a low-privilege domain account can access a production HR file share. The rules of engagement allow access-control validation during the test window but prohibit copying, modifying, or opening sensitive employee files. The client needs evidence for a remediation ticket and executive summary. What is the BEST professional decision?
Options:
A. Create a marker file in the share to prove write access
B. Open several files to document the sensitivity of the exposed data
C. Capture a redacted screenshot of the share path, account context, and accessible directory listing
D. Copy one representative employee file into the encrypted evidence repository
Best answer: C
Explanation: After access has been demonstrated, post-exploitation evidence collection should be the least invasive action that proves the finding and stays within the rules of engagement. Here, the tester already proved access to a production HR share, and the ROE specifically prohibits copying, modifying, or opening sensitive files. A redacted screenshot showing the account context, target path, timestamp, and accessible listing is enough to support remediation without increasing business impact or handling regulated employee content. The key is to document the control failure, not to maximize data exposure.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, the team must prioritize post-exploitation findings for the final report. Which finding should be listed as the highest remediation priority based on the evidence?
Exhibit: Post-exploitation evidence summary
| Finding | Demonstrated access | Data/business impact | Current exposure |
|---|---|---|---|
| Legacy file share | Read access as domain user | Archived marketing files | Internal only |
| Cloud role chaining | Finance app service account assumed BillingAdmin role | Customer invoices and payment metadata | Production cloud account |
| Local admin reuse | Local admin on 3 lab workstations | No sensitive data found | Test VLAN only |
| Stale VPN group | Disabled contractor account remained in group | No successful login | VPN policy review |
Options:
A. Legacy file share readable by domain users
B. Local administrator reuse on lab workstations
C. Stale VPN group membership for a disabled account
D. Cloud role chaining through the finance app service account
Best answer: D
Explanation: Post-exploitation prioritization should weigh what was actually demonstrated, what data or systems were reachable, and how urgently the business should reduce risk. The finance app service account was used to assume a privileged cloud role in a production account and reached customer invoice and payment metadata. That creates a stronger, evidence-backed risk than lower-sensitivity internal file access, lab-only local admin reuse, or a policy weakness without successful access. The best report priority is the finding with confirmed access to sensitive data and direct production impact.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, the team used approved post-exploitation actions on a production application server. Before closing the engagement, the tester reviews the cleanup notes.
Exhibit: ROE and artifact notes
System: APP-SRV-04
Owner: Retail Apps team
Artifacts created: test local account, temporary upload directory
ROE: Production host changes require owner coordination.
ROE: Tester must not remove app-owned files without owner validation.
Status: Access no longer needed; evidence captured.
Which cleanup action should the tester take next?
Options:
A. Ask the SOC to block APP-SRV-04
B. Delete the account and directory immediately
C. Coordinate removal with the Retail Apps owner
D. Leave all artifacts and document them only
Best answer: C
Explanation: Cleanup after post-exploitation must restore the environment without creating additional operational risk. In this case, APP-SRV-04 is a production system, and the rules of engagement explicitly require coordination with the system owner before host changes or file removal. The tester has already captured evidence and no longer needs access, so the next professional action is to involve the Retail Apps team to validate what can be removed and when. This protects service availability, preserves accountability, and ensures test artifacts are not mistaken for malicious activity or accidentally removed in a way that breaks the application. Direct deletion is tempting, but owner coordination is the controlling requirement.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, the team documented this post-exploitation path and must recommend a remediation that directly breaks the lateral movement path with minimal application impact.
| Evidence | Observation |
|---|---|
| Initial foothold | Standard user workstation |
| Lateral movement | Same built-in local admin credential worked on multiple workstations |
| Impact | Access expanded to sensitive file-share staging systems |
Which remediation best maps to the demonstrated path?
Options:
A. Disable external VPN access for standard users
B. Patch the sensitive file-share staging systems
C. Deploy unique, rotated local administrator passwords per workstation
D. Increase SIEM alert severity for workstation logons
Best answer: C
Explanation: The demonstrated weakness is lateral movement through reused local administrator credentials across workstations. A remediation such as Windows LAPS or an equivalent privileged local account management process gives each endpoint a unique, regularly rotated local admin password and limits the blast radius if one workstation is compromised. This directly interrupts the observed path because a credential recovered or used on one workstation should not authenticate to another workstation.
Monitoring improvements can help detect future activity, but they do not remove the credential reuse condition. Patching file-share systems is important only if an exploitable vulnerability was part of the path, which the evidence does not show.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, the rules of engagement allow post-exploitation evidence review but prohibit new lateral movement attempts without written approval. The tester finds the following evidence:
DC log: CORP\svc_backup successful network logon to WS-17, then WS-23
Source host: WS-09
Time span: 4 minutes
Endpoint logs: ADMIN$ share accessed on WS-17 and WS-23 from WS-09
Endpoint logs: temporary remote service created on WS-17 and WS-23
Which approach best maps to these requirements?
Options:
A. Classify the events as routine vulnerability scanning
B. Correlate the events as likely SMB-based lateral movement
C. Run credential spraying from WS-09 to confirm reuse
D. Dump credentials from WS-09 to prove compromise
Best answer: B
Explanation: Lateral movement indicators often appear as correlated authentication and remote administration evidence, not as a single log entry. In this case, one privileged account successfully authenticates from one host to multiple workstations in a short window, accesses ADMIN$ shares, and creates temporary remote services. That pattern is consistent with SMB-based remote execution or administrative lateral movement. Because the rules of engagement prohibit new lateral movement attempts, the safest valid approach is to document the correlation, preserve the evidence, and request approval before performing any additional validation that could expand access.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, a tester obtains read access to a developer workstation and discovers an unencrypted file containing cloud API tokens. The rules of engagement allow evidence collection and require immediate notification for exposed production credentials, but they do not authorize using discovered credentials to access additional systems without written approval. What should the tester do next?
Options:
A. Use the tokens to enumerate all accessible cloud resources
B. Delete the file to prevent further exposure
C. Share the tokens with the development team for quick validation
D. Secure evidence, document the finding, and escalate through the agreed contact
Best answer: D
Explanation: Discovered credentials and tokens are sensitive evidence, not general-purpose access material. When the rules of engagement require notification for exposed production credentials and do not authorize reuse, the tester should protect the data, record enough evidence to support the finding, and escalate through the approved communication path. This preserves legal authorization, reduces the chance of accidental impact, and gives the client a chance to rotate or revoke the tokens. Broadly using the tokens may prove impact, but it exceeds the stated permission unless written approval is obtained first.
Topic: Post-Exploitation and Lateral Movement
A penetration tester is preparing the executive summary after an authorized internal test. The client requested business-focused wording and asked that operational details be kept in the technical appendix.
Exhibit: Post-exploitation evidence summary
| Evidence | Scope-safe observation |
|---|---|
| Initial access | Test user account reached one internal app server |
| Privilege path | Misconfigured service account allowed elevated access |
| Data access | Payroll share metadata and sample filenames were viewable |
| Limitation | No data was exfiltrated; proof was documented by screenshots |
Which statement is most appropriate for the executive summary?
Options:
A. The tester used post-exploitation techniques to enumerate shares and identify privilege escalation paths.
B. Payroll data was stolen from the environment during the penetration test.
C. The service account password and exact privilege escalation method should be listed here.
D. A service account weakness could let an intruder expand access and expose payroll data.
Best answer: D
Explanation: Executive summaries should translate technical evidence into business risk, impact, and priority without disclosing sensitive operational details. The exhibit supports a finding that elevated access was possible through a service account weakness and that payroll-related resources were exposed, but it does not support saying data was stolen. Details such as exact methods, commands, credentials, hashes, or step-by-step paths belong in the technical appendix for approved technical stakeholders. The executive wording should be accurate, concise, and useful for risk-based decision-making.
Use the CompTIA PenTest+ PT0-003 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA PenTest+ PT0-003 on Web View CompTIA PenTest+ PT0-003 Practice Test
Read the CompTIA PenTest+ PT0-003 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.