nerdexam
EC-Council

312-50V10 · Question #654

Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal?

The correct answer is B. SAM file. The attacker is targeting the Windows SAM file, which stores local account password hashes, and is using the repair directory as a pathway to obtain a backup copy of it.

System Hacking

Question

Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal?

Options

  • Ahar.txt
  • BSAM file
  • Cwwwroot
  • DRepair file

How the community answered

(29 responses)
  • A
    17% (5)
  • B
    69% (20)
  • C
    3% (1)
  • D
    10% (3)

Why each option

The attacker is targeting the Windows SAM file, which stores local account password hashes, and is using the repair directory as a pathway to obtain a backup copy of it.

Ahar.txt

har.txt is only the destination filename the attacker uses to stage the exfiltrated data - it has no intrinsic credential value of its own.

BSAM fileCorrect

The SAM (Security Account Manager) file contains Windows local account password hashes. Attackers commonly copy a backup of the SAM file from the repair directory to a staging file such as har.txt and exfiltrate it for offline cracking using tools like L0phtcrack - making the SAM file the true target of the operation.

Cwwwroot

wwwroot is a web server content directory and does not contain Windows authentication credentials relevant to this attack pattern.

DRepair file

The repair directory is the access vector used to retrieve a shadow copy of the SAM file, but the credential store being stolen is the SAM file itself, not the repair directory generically.

Concept tested: Windows SAM file credential theft via repair directory backup

Source: https://attack.mitre.org/techniques/T1003/002/

Topics

#SAM file#password hashes#Windows credentials#log analysis

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice