GCIH · Question #620
An attacker compromises a host and runs the following commands. What did the attacker do?
The correct answer is D. A log file was edited. The commands shown represent a log file editing technique commonly used by attackers as an anti-forensics measure to erase evidence of their activity from system audit logs.
Question
An attacker compromises a host and runs the following commands. What did the attacker do?
Options
- AA tunnel was created
- BA password was cracked
- CA file was hidden
- DA log file was edited
How the community answered
(25 responses)- A12% (3)
- B24% (6)
- C8% (2)
- D56% (14)
Why each option
The commands shown represent a log file editing technique commonly used by attackers as an anti-forensics measure to erase evidence of their activity from system audit logs.
Creating a tunnel requires commands that establish a persistent network channel using tools such as SSH port forwarding, netcat listeners, or socat, not commands that write or modify text-based files.
Password cracking involves running dedicated tools like hashcat or John the Ripper against captured hash files, not in-place file editing commands targeting existing system files.
Hiding a file on Linux typically involves renaming it with a leading dot, moving it to an obscure directory, or using steganography tools - not overwriting or modifying an existing file's contents.
Attackers routinely use shell commands such as 'sed -i', file truncation with '>', or direct 'echo' overwrites to modify or clear log files like /var/log/auth.log or /var/log/syslog to remove evidence of logins, command execution, or lateral movement. This anti-forensics technique, classified under MITRE ATT&CK T1070.002, is a standard post-exploitation step to hinder incident response and forensic analysis.
Concept tested: Attacker anti-forensics log tampering via shell commands
Source: https://attack.mitre.org/techniques/T1070/002/
Topics
Community Discussion
No community discussion yet for this question.