The use of a rootkit is a sophisticated method for maintaining access while avoiding detection since it can intercept and alter system calls and manipulate the normal behavior of the operating system to hide the presence of processes, files, network connections, and logs associated with the penetration tester's activities. The complexity and stealthiness of rootkits make them particularly effective at evading detection from system monitoring tools. Cleaning log files might remove evidence of initial access, but it's a detectable action and can alert administrators due to missing logs. Disabling logging could raise immediate suspicion when log files stop updating. Using non-standard ports could help to hide network traffic but does not cover tracks on the host system itself. Renaming tools with inconspicuous names does little to prevent detection from system or network monitoring, and frequent permission changes can be suspicious and are likely to be scrutinized.