Covering Tracks Practice

Understand how attackers attempt to hide activity and why these techniques are sensitive in professional testing.

1. Question

Which activity MOST clearly represents 'covering tracks' during an intrusion?

Documenting exploited vulnerabilities in a reportRemoving or altering log entries that record your actionsScanning for open ports on the perimeterRequesting scope clarification from the client

2. Question

Why is covering tracks generally restricted or heavily controlled in professional engagements?

It provides no useful information about attacker behaviorIt may destroy forensic evidence and disrupt incident responseIt is impossible to perform technicallyIt is required in all penetration tests by default

3. Question

If log tampering is explicitly in scope, what is the MOST responsible way to approach it?

Delete as many logs as possible to show maximum impactTarget a limited, clearly documented set of entries and preserve original evidence where possibleModify logs on unrelated systems to confuse defendersAvoid telling the client which logs were altered

4. Question

Which log source is MOST likely to reveal attempts to cover tracks on a Linux server?

/var/log/auth.log and shell history filesStatic HTML content logsPrinter spooler logsDNS cache entries on user workstations

5. Question

From a defender’s perspective, which control MOST helps detect attempts to cover tracks?

Disabling all system logs to reduce noiseCentralized, write-once logging with restricted accessAllowing all users to clear their own logsStoring logs only on local workstations

6. Question

An attacker clears the Windows Event Logs after an engagement. Which statement is MOST accurate in a professional context?

This is acceptable in any pentest because it proves impactThis is typically out of scope and can seriously harm the clientIt is required to avoid legal liability for the testerIt has no effect because logs are never used in investigations

7. Question

Which of the following is an example of 'log minimization' instead of full log deletion?

Rotating logs according to a standard retention policyConfiguring systems not to log any security eventsEncrypting logs so they cannot be readRandomly deleting log files from servers

8. Question

Why is it important to explain covering tracks techniques to clients even if you do NOT perform them?

To encourage them to disable logging for performanceTo help them prioritize controls that make such techniques harderTo scare them into buying more servicesTo justify not providing any technical detail in the report

9. Question

Which behavior is MOST suspicious from a covering tracks perspective on a database server?

Regular backup jobs executing according to scheduleAudit logs being disabled or truncated without a change ticketIncreased read traffic during business hoursUsers resetting their own passwords via SSO

10. Question

In a pentest, if you observe that logs are trivially modifiable by low-privilege users, what is the BEST way to report this?

As a low-severity cosmetic issueAs a finding that can significantly hinder incident response and support attacker stealthAs unrelated to security postureOnly as a note in the appendix

Score: 0.0 / 10 (0 of 10 correct)