{
  "query": "Which technique conceals and enables exfiltration of a file on NTFS by storing it inside another file?",
  "options": [
    {
      "text": "Steganography in an image file",
      "explanation": "Steganography hides data within image pixels or metadata so the carrier appears normal",
      "correct": false,
      "selected": false
    },
    {
      "text": "Alternate data streams",
      "explanation": "Alternate data streams are an NTFS feature that lets data be stored in a secondary stream attached to a file",
      "correct": true,
      "selected": false
    },
    {
      "text": "Unquoted service path",
      "explanation": "An unquoted service path can allow executable hijacking when a service executable path contains spaces and is not quoted",
      "correct": false,
      "selected": false
    }
  ],
  "answer": "<p>The correct option is <b>Alternate data streams</b>.</p><p>Alternate data streams are a feature of the NTFS filesystem that allow extra data to be attached to a file without changing the visible primary file contents in common tools. Attackers can hide a secondary file inside the stream of a legitimate host file which lets them conceal and exfiltrate data while the main file appears normal. Because this behavior is specific to NTFS and matches storing a file inside another file on NTFS it is the correct technique described in the question.</p><p><i>Steganography in an image file</i> is a different technique that hides information in the pixels or metadata of an image and it is not specific to NTFS. Steganography can conceal data inside images but the question targets an NTFS filesystem mechanism rather than embedding data in image content.</p><p><i>Unquoted service path</i> is a Windows configuration vulnerability that can lead to privilege escalation when service executable paths are not quoted properly. It has nothing to do with hiding or storing a file inside another file on NTFS so it is not the correct choice.</p>",
  "batch_id": "1431",
  "answerCode": "2",
  "type": "multiple-choice",
  "originalQuery": "Christina is conducting a penetration test against Dion Training's network. The goal of this engagement is to conduct data exfiltration of the company's exam database without detection. Christina enters the following command into the terminal: -=-=-=-=-=-=- C:\\database\\exams.db>c:\\Users\\Christina\\Desktop\\beachpic.png:exams.db -=-=-=-=-=-=- Next, Christina emailed the beachpic.png file to her personal email account. Which of the following techniques did she use to exfiltrate the file?",
  "originalOptions": "A. NTFS encryption<br/>B. Alternate data streams<br/>C. Unquoted service path<br/>D. DLL hijacking",
  "domain": "Reconnaissance Techniques for Ethical Hacking",
  "hasImage": false,
  "queryImage": "",
  "queryImages": [],
  "allImages": [],
  "hasAnyImage": false,
  "deprecatedReference": false,
  "deprecatedMatches": {},
  "hasPre": false,
  "qid": "2312s",
  "tip": "<p>When a question mentions hiding files on NTFS look for the phrase <i>alternate data streams</i> or the abbreviation <i>ADS</i>. If the question instead mentions embedding data in pixels then think <i>steganography</i>.</p>",
  "references": [
    "<a href=\"https://learn.microsoft.com/en-us/windows/win32/fileio/ntfs-alternate-data-streams\">Microsoft Docs on NTFS Alternate Data Streams</a>",
    "<a href=\"https://www.sans.org/blog/ntfs-alternate-data-streams/\">SANS blog on NTFS Alternate Data Streams</a>",
    "<a href=\"https://en.wikipedia.org/wiki/Steganography\">Steganography on Wikipedia</a>"
  ],
  "video_url": "https://certificationation.com/videos/others/eccouncil/ethical-hacker/eccouncil-test-against-dion-training-s-network-exam-2312.html",
  "url": "https://certificationation.com/questions/others/eccouncil/ethical-hacker/eccouncil-test-against-dion-training-s-network-exam-2312.html"
}