nerdexam
ExamsGCIHQuestions#775
GIAC

GCIH · Question #775

GCIH Question #775: Real Exam Question with Answer & Explanation

The correct answer is B: An attacker must obfuscate their code and scripts. Application allow lists block unapproved binaries by hash or signature, forcing attackers to pivot to script-based attacks with obfuscation to evade policy enforcement.

Question

How does the use of endpoint application allow lists impact malware attacks against the system?

Options

  • AAn attacker must encrypt their attack tools
  • BAn attacker must obfuscate their code and scripts
  • CAn attacker must generate new code hashes
  • DAn attacker must modify their attack tool use

Explanation

Application allow lists block unapproved binaries by hash or signature, forcing attackers to pivot to script-based attacks with obfuscation to evade policy enforcement.

Common mistakes.

  • A. Encrypting an executable does not change the binary's path or hash as seen by the allow list policy, so it remains blocked regardless of encryption.
  • C. Generating a new binary with a different hash still produces a hash that is not on the allow list, so execution is still denied.
  • D. Modifying tool use is too vague and does not describe a specific technical bypass; obfuscation of scripts is the precise technique used to evade hash-based allow list enforcement.

Concept tested. Application allow list bypass via script obfuscation

Reference. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice