A penetration tester is cleaning up and covering tracks at t

A penetration tester is cleaning up and covering tracks at t - CompTIA Pentest+ PT0-003

Question

A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.)

Answers

correct

Spawned shells
correct

Created user accounts
Server logs
Administrator accounts
Reboot system
ARP cache

Explanation

Correct Answers:A. Spawned shells B. Created user accounts

At the conclusion of a penetration test, a tester must remove any artifacts left behind to avoid leaving security risks. This is part of ethical penetration testing best practices.

Spawned shells
- Any backdoors, shells, or remote access mechanisms should be removed to ensure the system is returned to its original state.
- These could allow unintended access if not cleaned up.
Created user accounts
- If the tester created dummy accounts or privilege-escalation accounts, these must be removed to prevent unauthorized future access.

Why the Other Options Are Incorrect:

Server logs

Ethical penetration testers should NOT delete logs because they are important for incident response and auditing.
Instead, they should report any modified logs to the client.

Administrator accounts

A penetration tester should not delete legitimate admin accounts.
If a new admin account was created for testing purposes, that should be removed, but legitimate ones must remain.

Reboot system

Rebooting alone does not effectively cover tracks and may even alert the client to suspicious activity.
Some persistence techniques might survive a reboot.

ARP cache