




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A practice exam for powershell, focusing on various aspects of powershell scripting and security. It includes questions related to execution policies, cmdlets, and techniques for bypassing security measures. Each question is followed by a detailed explanation of the correct answer, making it a valuable resource for students and professionals looking to enhance their powershell skills and knowledge of security concepts. The exam covers topics such as scheduled tasks, cim, .net assemblies, and network connections, providing a comprehensive overview of powershell capabilities.
Typology: Exams
1 / 138
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which PowerShell execution policy allows scripts to run without any restrictions, even if they are unsigned? A) AllSigned B) RemoteSigned C) Unrestricted D) Bypass Answer: C Explanation: The Unrestricted policy runs all scripts, warning only for scripts downloaded from the Internet. It does not require signing. Question 2. What cmdlet retrieves a list of all running processes on the local machine? A) Get-Service B) Get-Process C) Get-Item D) Get-Content Answer: B Explanation: Get-Process queries the operating system for active processes and returns process objects.
Question 3. In PowerShell 7+, which host is the default when you launch pwsh from a Windows console? A) Windows PowerShell ISE B) PowerShell Core console host C) Visual Studio Code integrated terminal D) Windows Command Prompt Answer: B Explanation: PowerShell 7+ (PowerShell Core) uses its own cross‑platform console host, distinct from Windows PowerShell ISE. Question 4. Which of the following techniques can be used to bypass the default execution policy without changing the policy setting? A) Adding -ExecutionPolicy Bypass to the PowerShell.exe command line B) Setting $env:PSModulePath to an empty string C) Using Set-StrictMode - Version Latest D) Importing the Microsoft.PowerShell.Security module Answer: A Explanation: The -ExecutionPolicy Bypass flag overrides the configured policy for that session only.
A) Get-ComputerInfo | Select-Object OSVersion B) Get-CimInstance - ClassName Win32_OperatingSystem | Select-Object Version C) Get-WmiObject - Class Win32_OperatingSystem | Format-List Caption D) Get-ItemProperty - Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion Answer: B Explanation: Get-CimInstance - ClassName Win32_OperatingSystem returns OS properties; the Version property holds the OS version. Question 8. Which PowerShell feature allows execution of .NET assemblies directly in memory without writing to disk? A) Add-Type B) Import-Module C) Invoke-Expression D) [Reflection.Assembly]::Load Answer: D Explanation: [Reflection.Assembly]::Load() loads a byte array of a .NET assembly into memory, enabling in‑memory execution. Question 9. Which cmdlet lists all local user accounts on a Windows machine?
A) Get-LocalGroup B) Get-LocalUser C) Get-ADUser D) Get-User Answer: B Explanation: Get-LocalUser queries the local SAM database and returns user account objects. Question 10. What is the purpose of the Invoke-WebRequest - OutFile pattern in a post‑exploitation script? A) To query DNS records silently B) To download a remote file and save it locally C) To enumerate open ports on a remote host D) To execute a PowerShell command on a remote machine Answer: B Explanation: Invoke-WebRequest - OutFile fetches content from a URL and writes it to the specified local file path. Question 11. Which PowerShell command can be used to enumerate all services that are set to start automatically?
A) Id B) SID C) ObjectSid D) SecurityIdentifier Answer: B Explanation: The SID property of the returned user object contains the security identifier for that account. Question 14. What does the New-Item - Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" - Name "Updater" - Value "powershell.exe - w hidden - encodedcommand ..." command accomplish? A) Creates a new file in the user’s AppData folder B) Adds a registry Run key for persistence that launches PowerShell at logon C) Modifies the Windows Update service configuration D) Sets a firewall rule to allow inbound traffic Answer: B Explanation: Adding a value under the Run registry key causes the specified command to execute each time the user logs on, providing persistence. Question 15. Which PowerShell cmdlet can be used to capture live network connections on the local system?
A) Get-NetTCPConnection B) Get-NetAdapter C) Get-NetIPConfiguration D) Get-NetFirewallRule Answer: A Explanation: Get-NetTCPConnection returns current TCP connections, including local/remote addresses and states. Question 16. Which of the following is a valid way to execute a scriptblock stored in a variable named $sb? A) $sb.Invoke() B) Invoke-Expression $sb C) & $sb D) Start-Job - ScriptBlock $sb Answer: C Explanation: The call operator & executes the scriptblock contained in $sb. Question 17. Which PowerShell feature enables you to split a string into multiple variables to evade simple signature detection?
A) New-CimInstance B) Register-WmiEvent C) Set-WmiInstance D) New-Object Answer: B Explanation: Register-WmiEvent registers a subscription for a WMI event, allowing a scriptblock to run when the event fires. Question 20. Which .NET class provides the ability to open a TCP listener for a reverse shell in PowerShell? A) System.Net.WebClient B) System.Net.Sockets.TcpListener C) System.IO.StreamReader D) System.Management.Automation.Runspaces Answer: B Explanation: TcpListener creates a listening socket that can accept inbound connections, useful for reverse shells. Question 21. Which PowerShell command can be used to enumerate all domain controllers in the current AD forest?
A) Get-ADDomainController - Filter * B) Get-LocalComputer | Where-Object {$_.Role - eq 'DC'} C) Get-ADObject - LDAPFilter "(objectClass=computer)" D) Get-CimInstance - ClassName Win32_ComputerSystem Answer: A Explanation: Get-ADDomainController - Filter * returns every domain controller object in the forest (requires the AD module). Question 22. When using Invoke-Command - ComputerName server01 - ScriptBlock { Get-Process }, which PowerShell feature is being leveraged? A) PowerShell Remoting (PSRP) B) WMI remote execution C) SMB file share access D) Credential Guard Answer: A Explanation: Invoke-Command uses PowerShell Remoting (the PowerShell Remoting Protocol) to run code on a remote machine. Question 23. Which PowerShell cmdlet can be used to compress a folder named C:\Data into C:\Archive\data.zip?
A) AMSI only scans compiled binaries, not PowerShell scripts B) AMSI can block execution of a script block before it runs if the content matches a known signature C) AMSI replaces Windows Defender entirely D) AMSI disables PowerShell remoting when enabled Answer: B Explanation: The Antimalware Scan Interface (AMSI) allows anti‑malware products to inspect script content before execution and block it if malicious. Question 26. Which cmdlet can retrieve the list of installed Windows updates on a system? A) Get-HotFix B) Get-WindowsFeature C) Get-Package D) Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Answer: A Explanation: Get-HotFix queries the system for installed updates (hotfixes) and returns their KB numbers and installation dates.
Question 27. Which PowerShell technique can be used to hide the console window when executing a script that launches a GUI application? A) Start-Process - WindowStyle Hidden B) Start-Process - NoNewWindow C) Start-Process - Verb RunAs D) Start-Process - UseShellExecute $false Answer: A Explanation: The -WindowStyle Hidden parameter hides the console window for the launched process. Question 28. Which of the following cmdlets can be used to enumerate the ARP table on a Windows host? A) Get-NetNeighbor B) Get-ARPTable C) Get-NetIPConfiguration D) Get-NetAdapter Answer: A Explanation: Get-NetNeighbor returns neighbor cache entries, which include the ARP table for IPv4.
Question 31. Which .NET class is commonly used to perform raw socket connections for custom port scanning in PowerShell? A) System.Net.WebClient B) System.Net.Sockets.TcpClient C) System.Net.Mail.SmtpClient D) System.IO.FileStream Answer: B Explanation: TcpClient provides low‑level TCP socket functionality, enabling custom connection attempts for port scanning. Question 32. Which PowerShell construct is most appropriate for creating a persistent loop that checks for a specific file every 30 seconds? A) while ($true) { Start-Sleep - Seconds 30; Test-Path C:\trigger.txt } B) foreach ($i in 1..30) {} C) Do-Until {} D) Switch ($i) {} Answer: A Explanation: A while ($true) infinite loop combined with Start-Sleep implements a periodic check.
Question 33. Which command retrieves the SID of the currently logged‑on user? A) [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value B) Get-LocalUser | Where-Object {$_.Enabled - eq $true} C) Get-Process - Id $PID | Select-Object - ExpandProperty StartInfo D) Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer Answer: A Explanation: The .NET WindowsIdentity class returns the current user’s SID via the User property. Question 34. Which PowerShell feature can be used to execute a script block in a separate runspace, reducing the chance of detection by simple monitoring tools? A) Start-Job B) Invoke-Expression C) Import-Module D) Out-Null Answer: A Explanation: Start-Job runs the script block in a background job (separate runspace), allowing asynchronous execution.
Question 37. Which PowerShell cmdlet can be used to list all installed PowerShell modules on the system? A) Get-Module - ListAvailable B) Get-InstalledModule C) Get-Package D) Get-Command - Module Answer: A Explanation: Get-Module - ListAvailable enumerates all modules that are discoverable in the module paths. Question 38. Which command can be used to create a WMI event filter that triggers when a user logs on? A) New-CimInstance - Namespace root\subscription - ClassName __EventFilter - Property @{QueryLanguage='WQL'; Query='SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA ''Win32_LogonSession'''} B) Register-WmiEvent - Class __InstanceCreationEvent - SourceIdentifier LogonEvent C) Set-WmiInstance - Namespace root\cimv2 - Class Win32_Process - Arguments @{CommandLine='cmd.exe'} D) New-Item - Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run - Name LogonTrigger
Answer: A Explanation: Creating a __EventFilter in the root\subscription namespace with a WQL query that watches for Win32_LogonSession creation creates the desired trigger. Question 39. Which PowerShell feature can be leveraged to execute a malicious payload directly from a compressed archive without extracting it to disk? A) Expand-Archive - DestinationPath $env:TEMP B) Invoke-Expression (Get-Content (Compress-Archive ...)) C) System.IO.Compression.ZipFile::OpenRead combined with [Reflection.Assembly]::Load D) Copy-Item - Path archive.zip - Destination C:\ Answer: C Explanation: Using the .NET ZipFile class to read a DLL/EXE from a ZIP stream and then loading it via reflection enables in‑memory execution without writing to disk. Question 40. Which cmdlet can be used to enumerate all network adapters and their operational status? A) Get-NetAdapter | Where-Object {$_.Status - eq 'Up'} B) Get-NetIPConfiguration C) Get-NetTCPConnection