In order to evade detection, attackers will cover their tracks. To do this attackers will clean up logs, tools, and other traces that have been left on target machines by the exploit process.

One of the first steps attackers consider when covering your tracks is how to make the tools, daemons, or Trojans that you will use for long-term access appear to be innocuous. Some tools like Meterpreter do this by inserting themselves into existing processes, using names similar to common harmless processes or otherwise working to blend in with the normal behaviors and files found on the system.

Attacker will also need to how the tools interact with the system and where files are created in the exploit process so that they can be removed. Log files should not be completely emptied as this is suspicious, modifying logs to remove actions performed is a better solution.

To cover network communication, attackers use secure network protocols to encrypt their traffic.