nerdexam
Exams312-50V9Questions#556
EC-Council

312-50V9 · Question #556

312-50V9 Question #556: Real Exam Question with Answer & Explanation

The correct answer is B: SAM file. The log extract shows the attacker targeting the SAM (Security Account Manager) file, which stores Windows local account password hashes used for offline cracking.

Question

Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal?

Options

  • Ahar.txt
  • BSAM file
  • Cwwwroot
  • DRepair file

Explanation

The log extract shows the attacker targeting the SAM (Security Account Manager) file, which stores Windows local account password hashes used for offline cracking.

Common mistakes.

  • A. har.txt is not a standard Windows system file containing credentials; it holds no value as a target for password or account data theft.
  • C. wwwroot is the default web server document root directory and contains web content, not user credential hashes stored in the SAM database.
  • D. The repair directory is the location from which the attacker retrieves the SAM backup, not the item of value itself; the SAM file stored within that directory is the actual credential target.

Concept tested. Windows SAM file theft via repair directory backup

Reference. https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-50V9 Practice