InterviewStack.io LogoInterviewStack.io

Persistence and Lateral Movement Questions

Advanced adversary persistence and lateral movement techniques used in post compromise operations and red team engagements, as well as the defensive controls and detection strategies defenders should apply. Topics include methods for maintaining access across reboots and remediation attempts such as installing backdoors, service and scheduled task manipulation, startup and autorun modifications, registry or profile changes, kernel and boot level implants, firmware persistence, web shell and agent implantation, and covert remote access tunnels. Also covers techniques for moving laterally within networks including credential theft and replay, pass the hash, pass the ticket, Kerberoasting, service ticket abuse, pivoting via compromised hosts, remote execution over management protocols such as remote desktop and secure shell, exploitation of trust relationships, and use of proxying or tunneling. The description includes trade offs between stealth and reliability, common indicators of compromise, forensic evidence left by each mechanism, detection and logging strategies, containment and mitigation approaches, and secure architecture practices to limit lateral movement such as segmentation, least privilege, and strong authentication.

MediumTechnical
36 practiced
You suspect firmware (UEFI/BIOS) persistence on a server after cleaning OS-level artifacts. Describe a safe, enterprise-appropriate investigation and evidence-collection plan: what to collect from the host, vendor engagement considerations, useful tooling or lab steps, and chain-of-custody practices before any destructive validation.
EasyTechnical
47 practiced
In PowerShell (no destructive actions), write a script or sequence of commands that enumerates common Windows autorun persistence locations: HKCU/HKLM Run keys, Scheduled Tasks, Services, Startup folder, and WMI persistent event subscriptions. Output a consolidated JSON report summarizing findings per host.
EasyTechnical
35 practiced
Describe the differences between a Kerberos TGT (Ticket Granting Ticket) and service (TGS) tickets. Then briefly explain Kerberoasting: what an attacker requests, how an attacker extracts offline password material, and a high-level defense that reduces its effectiveness.
EasyTechnical
49 practiced
If advising a mid-size enterprise (5k-20k endpoints) on minimal instrumentation to detect common persistence and lateral movement techniques, what logs, agents, and configurations would you require on Windows endpoints, Linux servers, domain controllers, and core network devices? Prioritize by highest signal-to-noise.
MediumTechnical
35 practiced
When investigating an endpoint suspected of autorun modification persistence, which specific forensic artifacts across the file system, registry, MFT, and event logs would you collect to build a tampering timeline? Include registry key paths and relevant Windows event IDs to look for.

Unlock Full Question Bank

Get access to hundreds of Persistence and Lateral Movement interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.