Review logs and residual traces
Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code.  
DetectionDetectable by Common Defenses (Yes/No/Partial): No
Explanation: Adversary controls the test and defender likely has no visibility.
Difficulty for the AdversaryEasy for the Adversary (Yes/No): Yes
Explanation: Adversary has full control of environment to determine what level of auditing and traces exist on a system after execution.
- Tavis Ormandy and Natalie Silvanovich. (2015, December 16). FireEye - Wormable Remote Code Execution in MIP JAR Analysis. Retrieved March 9, 2017.
- Infosec Institute. (2015, September 9). Covering Tracks of Attacks. Retrieved May 9, 2017.