GCIH · Question #436
Analyze the image below. In which stage of the attack process is the attacker operating?
The correct answer is D. Covering tracks. Covering tracks is the attack phase where the attacker attempts to hide evidence of their intrusion by deleting logs, modifying timestamps, or removing artifacts.
Question
Analyze the image below. In which stage of the attack process is the attacker operating?
Exhibit
Options
- AReconnaissance
- BScanning
- CKeeping access
- DCovering tracks
- EExploitation
How the community answered
(26 responses)- A4% (1)
- C12% (3)
- D81% (21)
- E4% (1)
Why each option
Covering tracks is the attack phase where the attacker attempts to hide evidence of their intrusion by deleting logs, modifying timestamps, or removing artifacts.
Reconnaissance involves passively or actively gathering information about a target before any attack, not hiding post-compromise activity.
Scanning involves probing targets for open ports, services, and vulnerabilities using tools like Nmap, which is a pre-exploitation activity.
Keeping access (maintaining access/persistence) involves installing backdoors or RATs to retain a foothold, which occurs before the covering tracks phase.
Covering tracks involves actions taken by the attacker to conceal their presence and activities on a compromised system, such as clearing event logs, modifying audit records, or deleting command history. This phase occurs after the attacker has achieved their objectives and seeks to avoid detection and forensic analysis. It maps to MITRE ATT&CK Defense Evasion tactics such as T1070 (Indicator Removal).
Exploitation involves actively leveraging a vulnerability to gain unauthorized access, which occurs earlier in the attack lifecycle.
Concept tested: Ethical hacking attack lifecycle - covering tracks phase
Source: https://attack.mitre.org/tactics/TA0005/
Topics
Community Discussion
No community discussion yet for this question.
