PowerShell Hacker Practice Exam Questions, Exams of Technology

A practice exam for powershell, focusing on various aspects of powershell scripting and security. It includes questions related to execution policies, cmdlets, and techniques for bypassing security measures. Each question is followed by a detailed explanation of the correct answer, making it a valuable resource for students and professionals looking to enhance their powershell skills and knowledge of security concepts. The exam covers topics such as scheduled tasks, cim, .net assemblies, and network connections, providing a comprehensive overview of powershell capabilities.

Typology: Exams

2025/2026

Available from 12/10/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 138

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
C PSH Certified PowerShell Hacker Practice Exam
**Question 1.** Which PowerShell execution policy allows scripts to run without
any restrictions, even if they are unsigned?
A) AllSigned
B) RemoteSigned
C) Unrestricted
D) Bypass
Answer: C
Explanation: The **Unrestricted** policy runs all scripts, warning only for scripts
downloaded from the Internet. It does not require signing.
**Question 2.** What cmdlet retrieves a list of all running processes on the local
machine?
A) Get-Service
B) Get-Process
C) Get-Item
D) Get-Content
Answer: B
Explanation: **Get-Process** queries the operating system for active processes
and returns process objects.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download PowerShell Hacker Practice Exam Questions and more Exams Technology in PDF only on Docsity!

Question 1. Which PowerShell execution policy allows scripts to run without any restrictions, even if they are unsigned? A) AllSigned B) RemoteSigned C) Unrestricted D) Bypass Answer: C Explanation: The Unrestricted policy runs all scripts, warning only for scripts downloaded from the Internet. It does not require signing. Question 2. What cmdlet retrieves a list of all running processes on the local machine? A) Get-Service B) Get-Process C) Get-Item D) Get-Content Answer: B Explanation: Get-Process queries the operating system for active processes and returns process objects.

Question 3. In PowerShell 7+, which host is the default when you launch pwsh from a Windows console? A) Windows PowerShell ISE B) PowerShell Core console host C) Visual Studio Code integrated terminal D) Windows Command Prompt Answer: B Explanation: PowerShell 7+ (PowerShell Core) uses its own cross‑platform console host, distinct from Windows PowerShell ISE. Question 4. Which of the following techniques can be used to bypass the default execution policy without changing the policy setting? A) Adding -ExecutionPolicy Bypass to the PowerShell.exe command line B) Setting $env:PSModulePath to an empty string C) Using Set-StrictMode - Version Latest D) Importing the Microsoft.PowerShell.Security module Answer: A Explanation: The -ExecutionPolicy Bypass flag overrides the configured policy for that session only.

A) Get-ComputerInfo | Select-Object OSVersion B) Get-CimInstance - ClassName Win32_OperatingSystem | Select-Object Version C) Get-WmiObject - Class Win32_OperatingSystem | Format-List Caption D) Get-ItemProperty - Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion Answer: B Explanation: Get-CimInstance - ClassName Win32_OperatingSystem returns OS properties; the Version property holds the OS version. Question 8. Which PowerShell feature allows execution of .NET assemblies directly in memory without writing to disk? A) Add-Type B) Import-Module C) Invoke-Expression D) [Reflection.Assembly]::Load Answer: D Explanation: [Reflection.Assembly]::Load() loads a byte array of a .NET assembly into memory, enabling in‑memory execution. Question 9. Which cmdlet lists all local user accounts on a Windows machine?

A) Get-LocalGroup B) Get-LocalUser C) Get-ADUser D) Get-User Answer: B Explanation: Get-LocalUser queries the local SAM database and returns user account objects. Question 10. What is the purpose of the Invoke-WebRequest - OutFile pattern in a post‑exploitation script? A) To query DNS records silently B) To download a remote file and save it locally C) To enumerate open ports on a remote host D) To execute a PowerShell command on a remote machine Answer: B Explanation: Invoke-WebRequest - OutFile fetches content from a URL and writes it to the specified local file path. Question 11. Which PowerShell command can be used to enumerate all services that are set to start automatically?

A) Id B) SID C) ObjectSid D) SecurityIdentifier Answer: B Explanation: The SID property of the returned user object contains the security identifier for that account. Question 14. What does the New-Item - Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" - Name "Updater" - Value "powershell.exe - w hidden - encodedcommand ..." command accomplish? A) Creates a new file in the user’s AppData folder B) Adds a registry Run key for persistence that launches PowerShell at logon C) Modifies the Windows Update service configuration D) Sets a firewall rule to allow inbound traffic Answer: B Explanation: Adding a value under the Run registry key causes the specified command to execute each time the user logs on, providing persistence. Question 15. Which PowerShell cmdlet can be used to capture live network connections on the local system?

A) Get-NetTCPConnection B) Get-NetAdapter C) Get-NetIPConfiguration D) Get-NetFirewallRule Answer: A Explanation: Get-NetTCPConnection returns current TCP connections, including local/remote addresses and states. Question 16. Which of the following is a valid way to execute a scriptblock stored in a variable named $sb? A) $sb.Invoke() B) Invoke-Expression $sb C) & $sb D) Start-Job - ScriptBlock $sb Answer: C Explanation: The call operator & executes the scriptblock contained in $sb. Question 17. Which PowerShell feature enables you to split a string into multiple variables to evade simple signature detection?

A) New-CimInstance B) Register-WmiEvent C) Set-WmiInstance D) New-Object Answer: B Explanation: Register-WmiEvent registers a subscription for a WMI event, allowing a scriptblock to run when the event fires. Question 20. Which .NET class provides the ability to open a TCP listener for a reverse shell in PowerShell? A) System.Net.WebClient B) System.Net.Sockets.TcpListener C) System.IO.StreamReader D) System.Management.Automation.Runspaces Answer: B Explanation: TcpListener creates a listening socket that can accept inbound connections, useful for reverse shells. Question 21. Which PowerShell command can be used to enumerate all domain controllers in the current AD forest?

A) Get-ADDomainController - Filter * B) Get-LocalComputer | Where-Object {$_.Role - eq 'DC'} C) Get-ADObject - LDAPFilter "(objectClass=computer)" D) Get-CimInstance - ClassName Win32_ComputerSystem Answer: A Explanation: Get-ADDomainController - Filter * returns every domain controller object in the forest (requires the AD module). Question 22. When using Invoke-Command - ComputerName server01 - ScriptBlock { Get-Process }, which PowerShell feature is being leveraged? A) PowerShell Remoting (PSRP) B) WMI remote execution C) SMB file share access D) Credential Guard Answer: A Explanation: Invoke-Command uses PowerShell Remoting (the PowerShell Remoting Protocol) to run code on a remote machine. Question 23. Which PowerShell cmdlet can be used to compress a folder named C:\Data into C:\Archive\data.zip?

A) AMSI only scans compiled binaries, not PowerShell scripts B) AMSI can block execution of a script block before it runs if the content matches a known signature C) AMSI replaces Windows Defender entirely D) AMSI disables PowerShell remoting when enabled Answer: B Explanation: The Antimalware Scan Interface (AMSI) allows anti‑malware products to inspect script content before execution and block it if malicious. Question 26. Which cmdlet can retrieve the list of installed Windows updates on a system? A) Get-HotFix B) Get-WindowsFeature C) Get-Package D) Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Answer: A Explanation: Get-HotFix queries the system for installed updates (hotfixes) and returns their KB numbers and installation dates.

Question 27. Which PowerShell technique can be used to hide the console window when executing a script that launches a GUI application? A) Start-Process - WindowStyle Hidden B) Start-Process - NoNewWindow C) Start-Process - Verb RunAs D) Start-Process - UseShellExecute $false Answer: A Explanation: The -WindowStyle Hidden parameter hides the console window for the launched process. Question 28. Which of the following cmdlets can be used to enumerate the ARP table on a Windows host? A) Get-NetNeighbor B) Get-ARPTable C) Get-NetIPConfiguration D) Get-NetAdapter Answer: A Explanation: Get-NetNeighbor returns neighbor cache entries, which include the ARP table for IPv4.

Question 31. Which .NET class is commonly used to perform raw socket connections for custom port scanning in PowerShell? A) System.Net.WebClient B) System.Net.Sockets.TcpClient C) System.Net.Mail.SmtpClient D) System.IO.FileStream Answer: B Explanation: TcpClient provides low‑level TCP socket functionality, enabling custom connection attempts for port scanning. Question 32. Which PowerShell construct is most appropriate for creating a persistent loop that checks for a specific file every 30 seconds? A) while ($true) { Start-Sleep - Seconds 30; Test-Path C:\trigger.txt } B) foreach ($i in 1..30) {} C) Do-Until {} D) Switch ($i) {} Answer: A Explanation: A while ($true) infinite loop combined with Start-Sleep implements a periodic check.

Question 33. Which command retrieves the SID of the currently logged‑on user? A) [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value B) Get-LocalUser | Where-Object {$_.Enabled - eq $true} C) Get-Process - Id $PID | Select-Object - ExpandProperty StartInfo D) Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer Answer: A Explanation: The .NET WindowsIdentity class returns the current user’s SID via the User property. Question 34. Which PowerShell feature can be used to execute a script block in a separate runspace, reducing the chance of detection by simple monitoring tools? A) Start-Job B) Invoke-Expression C) Import-Module D) Out-Null Answer: A Explanation: Start-Job runs the script block in a background job (separate runspace), allowing asynchronous execution.

Question 37. Which PowerShell cmdlet can be used to list all installed PowerShell modules on the system? A) Get-Module - ListAvailable B) Get-InstalledModule C) Get-Package D) Get-Command - Module Answer: A Explanation: Get-Module - ListAvailable enumerates all modules that are discoverable in the module paths. Question 38. Which command can be used to create a WMI event filter that triggers when a user logs on? A) New-CimInstance - Namespace root\subscription - ClassName __EventFilter - Property @{QueryLanguage='WQL'; Query='SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA ''Win32_LogonSession'''} B) Register-WmiEvent - Class __InstanceCreationEvent - SourceIdentifier LogonEvent C) Set-WmiInstance - Namespace root\cimv2 - Class Win32_Process - Arguments @{CommandLine='cmd.exe'} D) New-Item - Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run - Name LogonTrigger

Answer: A Explanation: Creating a __EventFilter in the root\subscription namespace with a WQL query that watches for Win32_LogonSession creation creates the desired trigger. Question 39. Which PowerShell feature can be leveraged to execute a malicious payload directly from a compressed archive without extracting it to disk? A) Expand-Archive - DestinationPath $env:TEMP B) Invoke-Expression (Get-Content (Compress-Archive ...)) C) System.IO.Compression.ZipFile::OpenRead combined with [Reflection.Assembly]::Load D) Copy-Item - Path archive.zip - Destination C:\ Answer: C Explanation: Using the .NET ZipFile class to read a DLL/EXE from a ZIP stream and then loading it via reflection enables in‑memory execution without writing to disk. Question 40. Which cmdlet can be used to enumerate all network adapters and their operational status? A) Get-NetAdapter | Where-Object {$_.Status - eq 'Up'} B) Get-NetIPConfiguration C) Get-NetTCPConnection