CompTIA
PT0-001 · Question #156
PT0-001 Question #156: Real Exam Question with Answer & Explanation
The correct answer is B: Alternate data streams. The command stores a file inside an NTFS Alternate Data Stream hidden within calc.exe, exploiting the NTFS feature that allows data to be embedded in named streams invisible to standard directory listings.
Post-exploitation and lateral movement
Question
During post-exploitation, a tester identifies that only system binaries will pass an egress filter and store a file with the following command: c: \creditcards.db>c:\winit\system32\calc.exe:creditcards.db Which of the following file system vulnerabilities does this command take advantage of?
Options
- AHierarchical file system
- BAlternate data streams
- CBackdoor success
- DExtended file system
Explanation
The command stores a file inside an NTFS Alternate Data Stream hidden within calc.exe, exploiting the NTFS feature that allows data to be embedded in named streams invisible to standard directory listings.
Common mistakes.
- A. A hierarchical file system refers to the parent-child directory tree organization of a filesystem and does not describe the technique of embedding hidden named data streams within existing files.
- C. 'Backdoor success' is not a recognized filesystem vulnerability or feature and does not correspond to any specific filesystem mechanism being exploited by this command.
- D. Extended file system (ext2/ext3/ext4) is a Linux filesystem type that lacks the NTFS Alternate Data Stream feature; this technique applies exclusively to Windows NTFS volumes.
Concept tested. NTFS Alternate Data Streams for data hiding
Topics
#alternate data streams#NTFS#data hiding#egress filter evasion
Community Discussion
No community discussion yet for this question.