nerdexam
GIAC

GCIH · Question #620

An attacker compromises a host and runs the following commands. What did the attacker do?

The correct answer is D. A log file was edited. The commands shown represent a log file editing technique commonly used by attackers as an anti-forensics measure to erase evidence of their activity from system audit logs.

Web Application Attacks & Post-Exploitation

Question

An attacker compromises a host and runs the following commands. What did the attacker do?

Options

  • AA tunnel was created
  • BA password was cracked
  • CA file was hidden
  • DA log file was edited

How the community answered

(25 responses)
  • A
    12% (3)
  • B
    24% (6)
  • C
    8% (2)
  • D
    56% (14)

Why each option

The commands shown represent a log file editing technique commonly used by attackers as an anti-forensics measure to erase evidence of their activity from system audit logs.

AA tunnel was created

Creating a tunnel requires commands that establish a persistent network channel using tools such as SSH port forwarding, netcat listeners, or socat, not commands that write or modify text-based files.

BA password was cracked

Password cracking involves running dedicated tools like hashcat or John the Ripper against captured hash files, not in-place file editing commands targeting existing system files.

CA file was hidden

Hiding a file on Linux typically involves renaming it with a leading dot, moving it to an obscure directory, or using steganography tools - not overwriting or modifying an existing file's contents.

DA log file was editedCorrect

Attackers routinely use shell commands such as 'sed -i', file truncation with '>', or direct 'echo' overwrites to modify or clear log files like /var/log/auth.log or /var/log/syslog to remove evidence of logins, command execution, or lateral movement. This anti-forensics technique, classified under MITRE ATT&CK T1070.002, is a standard post-exploitation step to hinder incident response and forensic analysis.

Concept tested: Attacker anti-forensics log tampering via shell commands

Source: https://attack.mitre.org/techniques/T1070/002/

Topics

#log tampering#anti-forensics#attacker TTPs#post-exploitation

Community Discussion

No community discussion yet for this question.

Full GCIH Practice