During a penetration testing engagement, you have established persistent access on a target system. Which of the following methods is the BEST to mask your continued presence from the system administrators?
Frequently changing file and directory permissions to maintain access
Disabling all logging services on the target system
Cleaning all log files daily to remove any trace of unauthorized access
Renaming all penetration testing tools with system default process names
Installing a rootkit to conceal the presence of your tools and activities
Hosting all backdoor connections on non-standard ports to avoid attention
The use of a rootkit is a sophisticated method for maintaining access while avoiding detection since it can intercept and alter system calls and manipulate the normal behavior of the operating system to hide the presence of processes, files, network connections, and logs associated with the penetration tester's activities. The complexity and stealthiness of rootkits make them particularly effective at evading detection from system monitoring tools. Cleaning log files might remove evidence of initial access, but it's a detectable action and can alert administrators due to missing logs. Disabling logging could raise immediate suspicion when log files stop updating. Using non-standard ports could help to hide network traffic but does not cover tracks on the host system itself. Renaming tools with inconspicuous names does little to prevent detection from system or network monitoring, and frequent permission changes can be suspicious and are likely to be scrutinized.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are rootkits and how do they work?
Open an interactive chat with Bash
What are the risks associated with using rootkits?