Which of the following OS or filesystem mechanisms is MOST likely to support this objective?

A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function.

Which of the following OS or filesystem mechanisms is MOST likely to support this objective?
A . Alternate data streams
B . PowerShell modules
C . MP4 steganography
D . PsExec

View Answer

Answer: A

Explanation:

Alternate Data Streams (ADS) are a feature of the NTFS file system (which is used by modern versions of Windows) that allows metadata to be associated with files, similar to the way that Macs handle resource forks. In a penetration testing scenario, ADS can be used to hide malicious payloads in a way that is unlikely to be detected by traditional antivirus tools.

Given the context, ADS is most relevant. The penetration tester has already gained shell access and wants to use a binary for later execution. ADS would allow the tester to hide this binary within an existing file’s metadata.

B) PowerShell modules are used for extending the functionality of PowerShell, but the question does not indicate that PowerShell is in use.

C) MP4 steganography refers to the practice of hiding information within MP4 files. While this could theoretically be used to deliver a payload, the scenario doesn’t indicate that any MP4 files are in use.

D) PsExec is a tool that allows for the execution of processes on remote systems, but it doesn’t inherently help with hiding a binary for later execution.