Exam PT0-002 topic 1 question 72 discussion

Remove created accounts and spawned shells.

The top three actions CompTIA state Remove Shells Remove Tester-Created Accounts Remove Tools

Should be „spawned shells“ and „created accounts“: Some common cleanup tasks can include, but are not limited to: • Delete any new files you created from the affected systems. • Remove any credentials or accounts you created from the affected systems. • Restore any original configurations you modified. • Restore any original files that you modified or otherwise compromised. • Restore any log files you deleted. • Restore any original log files you modified or otherwise compromised. • Remove any shells, RATs, or other backdoors from the affected systems. • Remove any additional tools you may have left on the affected systems. • Purge any sensitive data exposed in plaintext. • Restore a clean backup copy of any apps that you compromised.

AB seems to be the most critical

The penetration tester should be sure to remove the spawned shells and server logs from the system. So the correct options are: A. Spawned shells C. Server logs

A and B

It is generally more important to remove spawned shells and server logs than user accounts. Spawned shells should be removed first to ensure that no unauthorized access can be gained to the system in the future. These shells may have been created by the penetration tester during the test and could potentially be used by an attacker to gain access to the system. Server logs should also be removed or cleaned up to ensure that no evidence of the penetration test remains on the system that could be used to trace the tester's activities. This is important to maintain the confidentiality of the test results and prevent any unintended consequences or negative impact on the organization being tested.

Book States B and C

a,c correct

A. Spawned shells B. Created user accounts At the conclusion of a penetration test, it is important for the tester to clean up and cover tracks by removing any changes or modifications made to the system during the test. Two important things that the tester should be sure to remove are: Spawned shells: Any shells created by the tester during the test should be removed to prevent unauthorized access to the system. Created user accounts: Any user accounts created by the tester should be removed to prevent unauthorized access to the system. It is important to note that options C, D, E, and F are not related to the task which is removing the changes or modifications made to the system during the test. Server logs, Administrator accounts, and Rebooting the system are important but they are not related to covering tracks. ARP cache is a table that contains the mappings of IP addresses to MAC addresses, which is used by the network to send packets to a specific host. It is not related to the task which is cleaning up and covering tracks at the conclusion of a penetration test.

»»Removing shells: Remove any shell programs installed when performing the pentest. »»Removing tester-created credentials: Be sure to remove any user accounts created during the pentest. This includes backdoor accounts. »»Removing tools: Remove any software tools that were installed on the customer’s systems that were used to aid in the exploitation of systems.

remove created creds, shells, tools