GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 13 of 17.
- Question #612Vulnerability Exploitation & Privilege Escalation
What makes setting the return pointer a difficult task when creating a buffer overflow exploit?
buffer overflowreturn pointerstack exploitationdynamic stack - Question #613Incident Response & Cyber Kill Chain
The following anomalous network flow was observed while running tcpdump on a firewall protecting DMZ web services on the 192.0.2.0/24 network. What conclusion can be drawn?
tcpdumpnetwork flow analysisbackdoor detectionpacket analysis - Question #614Incident Response & Cyber Kill Chain
Which of the following is the BEST set of methods one may use to validate a system once operations have been restored during the Recovery phase of Incident Handling?
incident recoverybaseline validationIR lifecyclesystem restoration - Question #615Vulnerability Exploitation & Privilege Escalation
What purpose would an attacker have for including TFTP commands in the payload of a buffer overflow exploit?
TFTPbuffer overflow payloadmalware downloadexploit staging - Question #616Incident Response & Cyber Kill Chain
Which of the following evidence container formats is an open source alternative that can provide metadata along with the image?
AFF4forensic image formatdigital evidenceopen source forensics - Question #617Vulnerability Exploitation & Privilege Escalation
What task is the Linux administrator performing with the command below? python dpat.py -n ../ntdsbak/customer.ntds -c ../ntdsbak/hashcat.potfile -g ../ntdsbak/*.txt
dpat.pyNTDSpassword auditcredential analysis - Question #618Reconnaissance, Scanning, and Enumeration
An analyst is reviewing a packet capture from a large sample of mixed protocols. Which of the following tcpdump Berkeley Packet Filter (BPF) filters would reduce the data set to th...
tcpdumpBPF filterNTPpacket capture - Question #619Incident Response & Cyber Kill Chain
Which of the following processes should be prioritized for examination during live response?
live responseprocess triagesuspicious processesWindows IR - Question #620Web Application Attacks & Post-Exploitation
An attacker compromises a host and runs the following commands. What did the attacker do?
log tamperinganti-forensicsattacker TTPspost-exploitation - Question #621Vulnerability Exploitation & Privilege Escalation
Which of the following can be used in a USB attack to bypass authentication by hijacking the password libraries on a Windows system?
USB HID attackauthentication bypassRubber DuckyWindows credentials - Question #622Web Application Attacks & Post-Exploitation
An attacker is launching an attack against an input field in a form that is used to retrieve restricted information that is filtered dependent upon the privileges of the logged in...
SQL injectionboolean conditiondatabase enumerationinput validation bypass - Question #623Incident Response & Cyber Kill Chain
An incident handler concluded that a recent breach could have been prevented with a software patch. In their report they recommended the organization perform regular vulnerability...
post-incident reviewpatch managementlessons learnedincident handling lifecycle - Question #624Incident Response & Cyber Kill Chain
An investigator is auditing a UNIX system and finds the following entry in the wtmp file. What does the entry indicate? test2 pts/1 202.69.197.99 Fri Apr 01 16:45
wtmp logsUNIX forensicslogin recordslog analysis - Question #625Incident Response & Cyber Kill Chain
An organization has an SSH server that was compromised, but later eradicated and recovered. The system disks were wiped clean, the OS reinstalled, and patches re-applied. After thi...
credential compromiseSSHincident eradicationrecovery gap analysis - Question #626Vulnerability Exploitation & Privilege Escalation
Which Microsoft tool can be used to mitigate the risk of an adversary reusing a stolen local administrator password hash?
LAPSpass-the-hashlocal administratorcredential management - Question #627Malware Analysis & Advanced Persistent Threats
Which endpoint security bypass technique modifies the assembly of an executable?
AV evasionghostwritingbinary modificationendpoint bypass - Question #628Malware Analysis & Advanced Persistent Threats
When copying a file that includes alternate data streams, what happens to the streams during the copying process?
NTFSalternate data streamsfile system behaviordata hiding - Question #629Web Application Attacks & Post-Exploitation
An attacker has determined a web application is running the SQL command shown below. What could she enter for VALUE to get a list of all email addresses in the employee table and a...
SQL injectionboolean injectionSQL syntaxdatabase exfiltration - Question #630Vulnerability Exploitation & Privilege Escalation
An engineer is using Hashcat to brute force passwords from a file of hashes. How should the following hash be handled in the scenario? aad3b435b51404eeaad3b435b51404ee
LM hashHashcatpassword crackingWindows authentication - Question #631Incident Response & Cyber Kill Chain
During which phase of incident response would an analyst review the data below?
IR phasesdetectionincident response lifecyclelog review - Question #632Reconnaissance, Scanning, and Enumeration
Which of the following 'net' commands will show the file shares available on a Windows system?
net commandsWindows enumerationfile sharesSMB - Question #633Vulnerability Exploitation & Privilege Escalation
How could an attacker set up a persistent backdoor listener to a login shell on TCP port 53 using netcat on a Linux system?
netcatpersistent backdoorcovert channelport 53 - Question #634Malware Analysis & Advanced Persistent Threats
As indicated in the following image, an analyst runs the dir and more commands. What can the analyst conclude about Judges.txt?
alternate data streamsNTFS forensicsWindowsdata hiding - Question #635Malware Analysis & Advanced Persistent Threats
What is the danger of downloading an .XLSM file from a website that is considered trustworthy by the user?
malicious macrosXLSMdocument-based malwaresocial engineering - Question #636Web Application Attacks & Post-Exploitation
Which tool can be used to exfiltrate data from a system that can only reach the remote host using ICMP?
ICMP tunnelingdata exfiltrationPtunnelcovert channel - Question #637Vulnerability Exploitation & Privilege Escalation
Which line in the following Ducky script is sent to approve the Windows UAC warning?
Rubber DuckyUAC bypassHID scriptingprivilege escalation - Question #638Malware Analysis & Advanced Persistent Threats
Which file type can be used to execute code in Excel without issuing a warning about opening a macro-supporting file type?
Excel macro evasionXLTMOffice file typesAV bypass - Question #639Incident Response & Cyber Kill Chain
A security examiner has been given permission by senior management to conduct a password audit. What should she make sure of after the process?
password auditauthorized testingcracked credentialspost-assessment handling - Question #640Vulnerability Exploitation & Privilege Escalation
What version of Windows natively supports SMB encryption?
SMB encryptionSMB3Windows versionsnetwork protocol security - Question #641Reconnaissance, Scanning, and Enumeration
Which of the following netcat commands will connect to tcp port 2222 on a remote system (10.0.0.1)?
netcatTCP connectioncommand-line toolsport connection - Question #642Reconnaissance, Scanning, and Enumeration
Jill ran the following command below against a DNS server. But the command did not work. What other command can Jill use to accomplish the same task?
DNS zone transferdig commandAXFRDNS enumeration - Question #643Malware Analysis & Advanced Persistent Threats
Which of the following commands will identify hidden file streams within the C:\Documents folder?
alternate data streamsLADSNTFShidden files - Question #644Incident Response & Cyber Kill Chain
Which of the following is a technique that can be used to reduce the amount of data to examine during an investigation?
file hashingknown-good hashforensic triagedata reduction - Question #645Vulnerability Exploitation & Privilege Escalation
An organization has enabled local account token filtering in the registry for workstations. What additional step do they need to take in order to defend against pass-the-hash attac...
pass-the-hashlocal administratortoken filteringlateral movement defense - Question #646Malware Analysis & Advanced Persistent Threats
What would an incident handler use the contents of the following registry key to determine? HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows registryRun keystartup persistenceautoruns - Question #648Reconnaissance, Scanning, and Enumeration
Observe the following command; what is the analyst doing?
service enumerationnetwork scanningport scanningSMB - Question #649Incident Response & Cyber Kill Chain
What happened in the following screenshot?
btmp logsLinux authenticationbinary log formatfailed logins - Question #650Reconnaissance, Scanning, and Enumeration
When would a web-based reconnaissance tool be preferred over a direct/local reconnaissance tool?
web-based reconnaissanceOSINToperational securitytraffic obfuscation - Question #651Reconnaissance, Scanning, and Enumeration
Which of the following network applications is better suited for using a connection-oriented protocol than a stateless protocol?
TCPSMBconnection-oriented protocolnetworking fundamentals - Question #652Reconnaissance, Scanning, and Enumeration
Why is a nmap ACK scan useful for network mapping?
nmap ACK scanfirewall detectionnetwork mappingTCP scanning - Question #653Web Application Attacks & Post-Exploitation
An incident handler sees the following lines in the shell history of a user on a machine: mknod test p nc -l -p 11111 0<test | nc 10.1.1.10 54321 1>test What did this user implemen...
netcat relaynamed pipepivotingshell history analysis - Question #654Vulnerability Exploitation & Privilege Escalation
An attacker has penetrated a network and is using lateral movement. Which defense will be effective?
lateral movementpassword hygienelocal administratorservice accounts - Question #655Incident Response & Cyber Kill Chain
Nathan is examining the security event log on a file server that contains sensitive data. He finds a number of Event ID 1234s with substatus code 0xC000006A. There are 4 or less fa...
password sprayingevent logssubstatus codesauthentication attacks - Question #656Malware Analysis & Advanced Persistent Threats
What is the result of unloading a process' forward and backwards links in memory?
DKOMprocess hidingEPROCESS listrootkit technique - Question #657Malware Analysis & Advanced Persistent Threats
Which of the following statements describes the data below from volatility's pstree plugin?
Volatilitypstreeprocess treememory forensics - Question #658Vulnerability Exploitation & Privilege Escalation
Which of the following Metasploit tools will generate a payload that can be introduced to a Windows system as shown in the image?
Metasploitmsfvenompayload generationshellcode - Question #659Reconnaissance, Scanning, and Enumeration
What is the goal of the command sequence shown below? >nslookup >server [authoritative_server_IP_or_name] >set type=any >ls -d [target_domain]
DNS zone transfernslookupAXFRDNS enumeration - Question #660Vulnerability Exploitation & Privilege Escalation
What can be used to link UNIX authentication with other mechanisms?
PAMUNIX authenticationpluggable authenticationLinux security - Question #661Incident Response & Cyber Kill Chain
Which UNIX log file contains information about currently logged in users?
UNIX log filesutmp/wtmpuser activity logslog analysis - Question #662Vulnerability Exploitation & Privilege Escalation
Which of the following actions can prevent the successful use of Metasploit against a Windows host?
Metasploitapplication whitelistingexploit preventionWindows hardening