Refer to the exhibit. An attacker gains access to the user's workstation and wants to find a file containing passwords. Which file is most likely to contain credentials?
Logon scripts may contain credentials for network resources.
Why this answer
Option C is correct because logon.bat scripts are commonly used in Windows environments to map network drives or perform startup tasks, and administrators often embed plaintext credentials in such scripts for automation. An attacker who compromises the workstation can read this batch file to extract stored passwords, making it a high-value target for credential theft.
Exam trap
EC-Council often tests the misconception that credentials are always stored in system databases like NTDS.dit or SAM, but the trap here is that attackers target easily accessible, plaintext files like logon scripts that users or administrators create for convenience.
How to eliminate wrong answers
Option A is wrong because the user profile (C:\Users\jdoe) contains personal files and settings but not typically stored credentials in plaintext; passwords are usually hashed and stored in the SAM hive, not in profile folders. Option B is wrong because the home directory on \\fileserver\home\jdoe is a network share that may contain user data but is not a default location for credential files; accessing it requires network authentication, and it is less likely to contain plaintext passwords than a local script. Option D is wrong because the Active Directory database (NTDS.dit) contains domain credential hashes, but it resides on a domain controller, not on the user's workstation, and an attacker with only local workstation access cannot directly read it without privilege escalation or network traversal.