312-50V10 · Question #654
Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal?
The correct answer is B. SAM file. The attacker is targeting the Windows SAM file, which stores local account password hashes, and is using the repair directory as a pathway to obtain a backup copy of it.
Question
Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal?
Options
- Ahar.txt
- BSAM file
- Cwwwroot
- DRepair file
How the community answered
(29 responses)- A17% (5)
- B69% (20)
- C3% (1)
- D10% (3)
Why each option
The attacker is targeting the Windows SAM file, which stores local account password hashes, and is using the repair directory as a pathway to obtain a backup copy of it.
har.txt is only the destination filename the attacker uses to stage the exfiltrated data - it has no intrinsic credential value of its own.
The SAM (Security Account Manager) file contains Windows local account password hashes. Attackers commonly copy a backup of the SAM file from the repair directory to a staging file such as har.txt and exfiltrate it for offline cracking using tools like L0phtcrack - making the SAM file the true target of the operation.
wwwroot is a web server content directory and does not contain Windows authentication credentials relevant to this attack pattern.
The repair directory is the access vector used to retrieve a shadow copy of the SAM file, but the credential store being stolen is the SAM file itself, not the repair directory generically.
Concept tested: Windows SAM file credential theft via repair directory backup
Source: https://attack.mitre.org/techniques/T1003/002/
Topics
Community Discussion
No community discussion yet for this question.