GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 10 of 17.
- Question #461Incident Response & Cyber Kill Chain
What is the primary goal of the Eradication phase of handling an incident?
eradication phaseincident phasesartifact removalincident handling - Question #462Incident Response & Cyber Kill Chain
In the event there is a disagreement on the events of the incident, how should it be handled in the final report?
incident reportdocumentationdissenting statementincident procedures - Question #463Incident Response & Cyber Kill Chain
You have responded to the breach of an internal file server that contains highly confidential strategic information. The attacker compromised the server and created a local adminis...
containmentbreach responseincident phasesRDP blocking - Question #464Malware Analysis & Advanced Persistent Threats
An attacker is tunneling TLS encrypted traffic within ICMP echo and reply packets. How will most network appliances see this?
ICMP tunnelingcovert channeltraffic obfuscationprotocol encapsulation - Question #465Reconnaissance, Scanning, and Enumeration
An administrator needs to repeatedly scan a very large network with thousands of hosts, what is the best way of accomplishing this very quickly?
Masscannetwork scanninghost discoveryscanning tools - Question #466Malware Analysis & Advanced Persistent Threats
You are a member of your organization's IT Security Team. The following were found in the hosts file on a Windows workstation that is on your network. The system administrator thou...
hosts file modificationDNS hijackingmalware indicatorsWindows forensics - Question #467Vulnerability Exploitation & Privilege Escalation
An attacker issues the command shown below. Which of the following best describes what the attacker is attempting to do? C:\> nc.exe '"L '"p 43567 '"e cmd.exe
netcatbind shellcommand executionbackdoor - Question #468Incident Response & Cyber Kill Chain
How can you minimize your chances of a mistake, such as not notifying a required party, being made during an incident response?
incident proceduresincident handlingdocumentationresponse preparation - Question #469Reconnaissance, Scanning, and Enumeration
What command would you issue on a Windows 7 system in order to list the open TCP and UDP ports and connections to these ports?
netstatopen portsWindows commandsnetwork connections - Question #470Malware Analysis & Advanced Persistent Threats
Mike uncovers malware on a web server that is triggering 100% CPU utilization which prevents other processes from launching. What category of Denial of Service attacks does he plac...
local DoSCPU exhaustionresource exhaustionmalware impact - Question #471Vulnerability Exploitation & Privilege Escalation
Which tool can sniff probe requests from a wireless client, pretend to be the client's legitimate access point, and offer fake network services to the client?
Karmetasploitevil twinwireless attacksprobe requests - Question #472Incident Response & Cyber Kill Chain
By default, many Unix systems store the system logs in what format?
Unix loggingASCII formatsysloglog analysis - Question #473Incident Response & Cyber Kill Chain
You have identified a virus that has quickly spread throughout your organization through fileshares. You have isolated the server that was the source of the infection, and you're w...
incident triagehelp desk proceduresvirus outbreakcontainment coordination - Question #474Incident Response & Cyber Kill Chain
You're the lone incident handler at an online-only small business. Monday morning, your email box contains four incidents that have been identified by the company's systems adminis...
incident prioritizationtriageactive compromisethreat severity - Question #475Incident Response & Cyber Kill Chain
Why should you inform incident handling team members in advance of their joining the team that they may be required to testify in a court of law?
legal proceedingsincident handler responsibilitiescourt testimonyincident documentation - Question #476Vulnerability Exploitation & Privilege Escalation
Which approach is recommended to prevent a DoS condition due to account lockouts as a result of a password guessing attack?
account lockoutpassword guessingbrute force preventioncredential attacks - Question #477Malware Analysis & Advanced Persistent Threats
Which of the following is a characteristic of metamorphic worm code?
metamorphic malwareworm behaviorcode mutationmalware classification - Question #478Malware Analysis & Advanced Persistent Threats
Which security practice is most likely to reduce worm infections?
worm preventionsecurity awarenessmalware defenseuser education - Question #479Malware Analysis & Advanced Persistent Threats
Which TCP header field is used by Covert_TCP to conceal ASCII data?
Covert_TCPTCP sequence numbercovert channeldata exfiltration - Question #480Vulnerability Exploitation & Privilege Escalation
Which of the following is vulnerable to a dictionary-based, password-cracking attack against wireless networks using WPA and pre-shared keys?
WPA2pre-shared keydictionary attackwireless security - Question #481Reconnaissance, Scanning, and Enumeration
What is the best practice for analyzing network traffic in a production environment to minimize the risks associated with such activities?
network traffic analysistcpdumpwiresharkprivilege separation - Question #482Reconnaissance, Scanning, and Enumeration
Which version or versions of the SSH protocol are vulnerable to man in the middle attacks using Dsniff?
SSH protocolman-in-the-middleDsniffprotocol vulnerability - Question #483Incident Response & Cyber Kill Chain
Examine the image below. Which of the following directories should be examined for suspicious entries?
hidden directoriesfile system forensicssuspicious entriesrootkit detection - Question #484Malware Analysis & Advanced Persistent Threats
What capability does a GRE tunnel provide to a bot herder communicating with his bots?
GRE tunnelbotnet C2network tunnelingbot herder - Question #485Incident Response & Cyber Kill Chain
A successful phishing attack led to multiple user workstations being infected with command and control malware. Which of the following would be an effective short-term containment...
incident containmentC2 malwareVLAN isolationphishing response - Question #486Vulnerability Exploitation & Privilege Escalation
How is exploiting a buffer overflow in a Linux SUID program owned by root different from exploiting other programs?
buffer overflowSUID privilege escalationLinux exploitationarbitrary code execution - Question #487Incident Response & Cyber Kill Chain
You are investigating an incident on a workstation that you suspect is compromised after the user opened an executable in an email. The workstation is used for email, internet acce...
netstatsuspicious network connectionscompromised workstationC2 traffic identification - Question #488Incident Response & Cyber Kill Chain
Your organization has suffered several leaks of internally distributed documents. They have asked you to track down the culprit. You are embedding a four-letter string of character...
document watermarkingIDS signaturedata leakage detectioncanary tokens - Question #489Reconnaissance, Scanning, and Enumeration
Which of the following commands could a Windows administrator use to hardcode the MAC address for host 10.1.12.23 on his workstation?
ARP tableMAC address spoofingWindows networkingarp -s command - Question #490Incident Response & Cyber Kill Chain
A server was infected by malware and controlled by an attacker for six months. The server was recovered and returned to production. Which of the following would provide the most ef...
post-incident monitoringroot cause analysisthreat intelligencerecovery planning - Question #491Incident Response & Cyber Kill Chain
During which Incident Handling phase would steps for preventing successful worm attacks occur, such as developing patch management and file encryption policies and processes?
incident handling phasespreparation phasepatch managementworm defense - Question #492Malware Analysis & Advanced Persistent Threats
Which command will reveal the contents of slackspace.txt? C:\> notepad C:\Users\tadams\Documents\GCIH_update.txt:slackspace.txt
NTFS alternate data streamsslack spaceWindows forensicsdata hiding - Question #493Incident Response & Cyber Kill Chain
As an incident handler, you are responding to a server breach and have gathered the following information: An attacker can execute code of his/her choice on a vulnerable system tha...
incident scopingserver breach assessmentinitial triageaffected systems - Question #494Vulnerability Exploitation & Privilege Escalation
Eve and Alice have the same 8 character password of 'password' for their Linux accounts. A simplified entry from /etc/shadow is displayed below. Which of the following explains why...
password hashingMD5 saltLinux shadow filecryptographic salting - Question #495Incident Response & Cyber Kill Chain
During which phase of the incident response process do you define and implement your general defenses against Netcat?
incident handling phasespreparation phaseNetcat defensepolicy development - Question #496Web Application Attacks & Post-Exploitation
Examine the image below. Which of the following defensive measures could be taken to control the activity?
input sanitizationweb application defenseIDS signaturescript injection - Question #497Incident Response & Cyber Kill Chain
A Linux server which is in the scope of an Incident Response you are performing has been rebuilt and tested by the accounting department. The accounting department is the business...
IR governancebusiness owner authorityincident decision-makingdocumentation - Question #498Reconnaissance, Scanning, and Enumeration
Which servers should be allowed to perform zone transfers from your primary DNS server?
DNS zone transfersecondary DNSDNS securityDNS hardening - Question #500Web Application Attacks & Post-Exploitation
Analyze the following command. What will this command do? $ nc -1 -p 443 -e /bin/csh
Netcatbind shellport 443backdoor listener - Question #501Reconnaissance, Scanning, and Enumeration
Which of the following will best protect your network from being mapped by untrusted, external sources, while still allowing trusted sources to verify network connectivity with pin...
ICMP filteringperimeter securitynetwork mapping defensetrusted sources - Question #502Incident Response & Cyber Kill Chain
The Kratla Company deploys laptops running Windows or Mac OS to their employees, who connect via VPN. What tool can the incident response team use to centrally gather critical logs...
GRR Rapid Responseremote forensicsvolatile data collectioncentralized logging - Question #503Web Application Attacks & Post-Exploitation
What step would mitigate the risk of the specific type of the web attack that produced the web server logs presented below?
authentication enumerationerror message consistencybrute force detectionweb server logs - Question #504Incident Response & Cyber Kill Chain
Which of the following is most likely to be an Indicator of Compromise (IOC)?
indicators of compromisespywaredata exfiltrationIOC identification - Question #505Incident Response & Cyber Kill Chain
Analyze the screenshot below. Based on the information, how will you classify this?
event vs incident classificationtraffic analysismisconfigurationincident triage - Question #506Vulnerability Exploitation & Privilege Escalation
Which of the following files would an attacker alter to remove evidence of the most recently typed commands on a Linux system?
bash_historyanti-forensicsLinux log tamperingevidence removal - Question #507Incident Response & Cyber Kill Chain
Which activity would be conducted as part of the containment phase?
containment phasenetwork segmentationincident response lifecyclecompromised host isolation - Question #508Incident Response & Cyber Kill Chain
In an attempt to contain an incident, the response team shut down a critical server without communicating with the Network Operations team. This led to upset management, poor custo...
lessons learnedpost-incident reviewprocess improvementincident communication - Question #509Malware Analysis & Advanced Persistent Threats
Which of the following would be a recommended containment measure taken to prevent a bot infected system from communicating over command and control channels?
botnet C2egress firewallcontainment measuresnetwork-level blocking - Question #510Incident Response & Cyber Kill Chain
What kind of traffic does an egress anti-spoof filter drop?
egress anti-spoofingIP spoofing defenseoutbound filteringnetwork defense - Question #511Incident Response & Cyber Kill Chain
During the lessons learned phase which of the following represents the best choice for what you should do to resolve the issue(s) that caused an incident?
lessons learned phasemanagement communicationroot cause remediationincident reporting