During an internal engagement, a penetration tester must move infiltration scripts between compromised Windows hosts. The client has asked the tester to rely only on native Windows binaries that are dedicated to file transfer so the activity blends in with routine administrative usage (for example, ftp.exe in scripted batch mode). Which planned action BEST meets this requirement?
Implement custom DLL injection code that transfers files over an isolated port
Install a Trojan that downloads the infiltration scripts over HTTP
Execute a PowerShell script that pulls the infiltration scripts from an SMB share
Create a small batch file that invokes ftp.exe with a scripted command file to copy the infiltration scripts
A small batch file that calls the built-in FTP client (ftp.exe) meets the constraints in the scenario. ftp.exe is installed by default on Windows, can be scripted with the -s switch to run a text file of FTP commands, and is explicitly intended for file transfer. Leveraging it avoids the need to introduce third-party tools, helping the tester "live off the land."
Installing a Trojan that downloads files over HTTP or performing custom DLL injection clearly introduces new binaries and is more likely to be flagged. A PowerShell script that pulls files from an SMB share also uses a built-in component, but it does not meet the customer's request to use a dedicated file-transfer utility; PowerShell's primary purpose is scripting and automation rather than stand-alone file transfer, and organizations frequently monitor PowerShell for abuse.
Sources:
MITRE ATT&CK entry for ftp.exe shows the tool's abuse for lateral tool transfer (S0095).
PowerShell is bundled with current versions of Windows and commonly monitored for abuse.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a batch file, and why is it useful in this scenario?
Open an interactive chat with Bash
What is the built-in Windows File Transfer Protocol (FTP) utility?
Open an interactive chat with Bash
How do hidden network shares work, and why are they used here?