To remove persistence on the server is correct because the command retrieves the specified service and pipes it to Remove-Service, permanently deleting it from the system and eliminating a mechanism that could be used to maintain access. To enumerate the running services on the server is incorrect because Get-Service alone performs enumeration, but the inclusion of Remove-Service changes the action to deletion. To shut down a running service temporarily is incorrect because stopping a service would use Stop-Service, not Remove-Service, which deletes it entirely. To enable persistence on the server is incorrect because this command removes an existing service rather than creating or maintaining one. OBJ. 5.4

OBJ 1.1: The client's tolerance to impact will allow the penetration test to balance the tasks to be performed in the assessment against real-world network utilization. If the client has a low tolerance to impact, then the assessment may be conducted on a cloned or a sandboxed version of the network or its applications. If the client has a high tolerance to impact, then they understand and agree that the penetration test may have real-world consequences to the production network during the assessment. This is usually based on the organization's risk appetite. OBJ. 1.1

Information exposure is correct because sensitive data such as credentials, tokens, and PII are being improperly stored in logs, making them accessible to anyone who gains access to the logging system, which directly leads to unintended disclosure of confidential information. Resource misconfiguration is incorrect because it refers to improperly configured infrastructure components, whereas the issue here is the exposure of sensitive data within logs. Image and artifact tampering is incorrect because it involves modifying software components or deployment artifacts, which is not indicated in this scenario. Third-party integrations is incorrect because it involves weaknesses in external services or APIs, while this scenario focuses on improper handling and storage of sensitive information within internal logging systems. OBJ. 4.6

Zero-day vulnerability is correct because it refers to a previously unknown security flaw that has not yet been disclosed or patched by the vendor, meaning defenders have had “zero days” to develop protections such as patches, signatures, or mitigations, making the vulnerability particularly dangerous when discovered or exploited by attackers. HTTP header injection vulnerability is incorrect because it specifically involves improper handling of user input within HTTP response headers and does not describe the broader condition of a newly discovered, unpatched vulnerability. Time-to-check to time-to-use flaw is incorrect because it describes a race condition where a system state changes between a security check and the use of that check’s result, which is a specific programming flaw rather than a classification for undisclosed vulnerabilities. Input validation flaw is incorrect because it refers to vulnerabilities caused by insufficient sanitization or validation of user input, whereas the scenario focuses on the timing of disclosure and lack of available patches rather than the underlying coding weakness. OBJ. 3.1

OBJ 1.1: If an indicator of a previous compromise is found during a penetration test, the team should immediately inform the client's emergency point of contact unless the scope of work states otherwise. The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. The trusted agents and communication paths should be determined when planning the engagement. OBJ. 1.1 

OBJ 5.2: After identifying the vulnerability in the printers' firmware, Steve should document his findings and notify the client, providing recommendations for updating the firmware to mitigate the risk. This ensures the client is informed and can take appropriate action to secure their network. Attempting to exploit the vulnerability without client consent, updating the firmware himself, or ignoring the issue could lead to unauthorized actions, potential damage, or unaddressed security risks. OBJ. 5.2

Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. OBJ. 4.8

set type=ns is correct because in nslookup interactive mode, the set type=ns command modifies the query type so that subsequent lookups return only NS (Name Server) records, which identify the authoritative DNS servers responsible for the domain’s zone and are commonly targeted during reconnaissance. nslookup -type=ns diontraining.com is incorrect because this syntax is used in non-interactive mode where the query type is specified directly in the command line rather than inside the interactive console. locate type=ns is incorrect because locate is not a valid command in nslookup. transfer type=ns is incorrect because zone transfers use commands such as ls or AXFR, and this syntax is not recognized by nslookup for setting the query type. OBJ. 2.2

Accessible resources is correct because the command lists network-accessible locations on the target system along with their permissions. Active network connections is incorrect because that requires tools such as netstat. Installed applications is incorrect because it involves software inventory. Running system processes is incorrect because it requires process enumeration commands. OBJ. 2.2

OBJ 4.9: Bluejacking involves sending unsolicited messages to Bluetooth-enabled devices without the owner's permission. Bluetooth spoofing involves spoofing the Bluetooth MAC address to impersonate another device, which can be used to trick a device into connecting to the attacker's device. Bluesnarfing involves gaining unauthorized access to a Bluetooth-enabled device to steal data such as contacts, messages, and other sensitive information. Bluesmacking is a denial-of-service (DoS) attack against Bluetooth-enabled devices, where the attacker sends a large number of malicious Bluetooth packets to a device, overwhelming it and causing it to crash or become unresponsive. OBJ. 4.9