nerdexam
GIAC

GCIH · Question #436

Analyze the image below. In which stage of the attack process is the attacker operating?

The correct answer is D. Covering tracks. Covering tracks is the attack phase where the attacker attempts to hide evidence of their intrusion by deleting logs, modifying timestamps, or removing artifacts.

Incident Response & Cyber Kill Chain

Question

Analyze the image below. In which stage of the attack process is the attacker operating?

Exhibit

GCIH question #436 exhibit

Options

  • AReconnaissance
  • BScanning
  • CKeeping access
  • DCovering tracks
  • EExploitation

How the community answered

(26 responses)
  • A
    4% (1)
  • C
    12% (3)
  • D
    81% (21)
  • E
    4% (1)

Why each option

Covering tracks is the attack phase where the attacker attempts to hide evidence of their intrusion by deleting logs, modifying timestamps, or removing artifacts.

AReconnaissance

Reconnaissance involves passively or actively gathering information about a target before any attack, not hiding post-compromise activity.

BScanning

Scanning involves probing targets for open ports, services, and vulnerabilities using tools like Nmap, which is a pre-exploitation activity.

CKeeping access

Keeping access (maintaining access/persistence) involves installing backdoors or RATs to retain a foothold, which occurs before the covering tracks phase.

DCovering tracksCorrect

Covering tracks involves actions taken by the attacker to conceal their presence and activities on a compromised system, such as clearing event logs, modifying audit records, or deleting command history. This phase occurs after the attacker has achieved their objectives and seeks to avoid detection and forensic analysis. It maps to MITRE ATT&CK Defense Evasion tactics such as T1070 (Indicator Removal).

EExploitation

Exploitation involves actively leveraging a vulnerability to gain unauthorized access, which occurs earlier in the attack lifecycle.

Concept tested: Ethical hacking attack lifecycle - covering tracks phase

Source: https://attack.mitre.org/tactics/TA0005/

Topics

#covering tracks#attack lifecycle#cyber kill chain#log manipulation

Community Discussion

No community discussion yet for this question.

Full GCIH Practice