GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 15 of 17.
- Question #713Reconnaissance, Scanning, and Enumeration
Which of the following is used by Nmap for identifying live hosts and devices as part of a network sweep?
NmapICMP Timestamphost discoverynetwork sweep - Question #714Cloud Incident Response & Threat Hunting
A company was a victim of bucket squatting. What process would help to prevent this type of attack?
bucket squattingcloud storageS3 securitycloud misconfiguration - Question #715Vulnerability Exploitation & Privilege Escalation
Which encryption algorithm was replaced with the introduction of the /etc/shadow file in the Linux OS?
DES/etc/shadowLinux password historycryptography - Question #716Incident Response & Cyber Kill Chain
What can a Linux administrator use to take advantage of RADIUS?
RADIUSPAMauthenticationLinux access control - Question #717Web Application Attacks & Post-Exploitation
An organization needs to protect its PHP web applications from Cross-Site Scripting attacks. Which action should they take?
XSSinput validationPHP securityweb defense - Question #718Incident Response & Cyber Kill Chain
An attacker has penetrated a network and is moving into the stage of pivoting throughout the network. Which defense mitigates this stage of the attack?
lateral movementpivotingnetwork segmentationdefense mitigation - Question #719Malware Analysis & Advanced Persistent Threats
The provided screenshot shows output from running the SysInternals "Strings" command against a suspected malware executable. Which of the following strings indicate that the attack...
persistenceWindows registrymalware analysisSysInternals Strings - Question #720Vulnerability Exploitation & Privilege Escalation
An engineer is using Hashcat to brute force passwords from a file of hashes. How should the following hash be handled in the scenario? 0843c6lee36fcdebcfec3333e62fe187
HashcatNT hashpassword crackinghash identification - Question #721Vulnerability Exploitation & Privilege Escalation
An attacker needs to relay SMB requests to another system outside of the local subnet using Responder. Which command arguments will achieve this goal?
SMB relayResponderNTLM relaycredential theft - Question #722Incident Response & Cyber Kill Chain
A spike in Event ID 4625 is found in Windows event logs. Looking at individual accounts across the domain, no more than 5 failed logins are found for any single account. What is a...
password sprayingEvent ID 4625Windows event logsanomaly detection - Question #723Reconnaissance, Scanning, and Enumeration
What is the size of the data transferred in the following Squid access log?
Squid proxyaccess logslog analysisproxy traffic - Question #724Web Application Attacks & Post-Exploitation
Inspecting developer code for functions like system, exec, and popen is recommended to reduce the likelihood of what type of public-facing attack?
command injectionsecure code reviewdangerous functionsOWASP - Question #725Reconnaissance, Scanning, and Enumeration
Which of the following is an example of a Berkeley Packet Filter (BPF) expression?
BPFpacket filteringtcpdumpnetwork capture syntax - Question #726Reconnaissance, Scanning, and Enumeration
A series of TCP packets are being sent from a DNS server to an external webserver over port 53. Based on the information given, what is most likely generating the traffic?
DNS zone transferport 53TCP DNSnetwork reconnaissance - Question #727Vulnerability Exploitation & Privilege Escalation
A penetration tester is using John the Ripper to audit the password strength of Linux systems. The systems use shadow passwords. What command will he run to unshadow the passwords...
password crackingunshadowshadow passwordsJohn the Ripper - Question #728Incident Response & Cyber Kill Chain
Which of the following natively supports SMB encryption?
SMB encryptionWindows Server 2012SMB3protocol hardening - Question #729Malware Analysis & Advanced Persistent Threats
Which persistence mechanism will evade detection by Sysinternals AutoRuns?
WMI persistenceAutoRuns evasionASEPadvanced persistence - Question #730Incident Response & Cyber Kill Chain
Which attack technique does the enabled setting in the screenshot mitigate?
LLMNR poisoningNBT-NScredential theft mitigationnetwork hardening - Question #731Incident Response & Cyber Kill Chain
A security team is actively monitoring windows event IDs 4634, 4688, and 4697. Which persistence mechanism will they detect with this approach?
Event ID 4697service creation detectionWindows auditingpersistence detection - Question #732Cloud Incident Response & Threat Hunting
Which RITA threat hunting functionality is used to identify C2 activity specific to Meterpreter?
RITAC2 beacon detectionMeterpreterlong-lived connections - Question #733Reconnaissance, Scanning, and Enumeration
What tcpdump parameter was used to produce the output on lines 2 and 3 shown below?
tcpdumpASCII output-A flagpacket capture - Question #734Vulnerability Exploitation & Privilege Escalation
Which netcat command will listen on port 2222 for connections from a remote system (10.0.0.1)?
netcatport listenerreverse shellnetwork tools - Question #735Cloud Incident Response & Threat Hunting
Which system is an attacker targeting by running the following command? PS > Invoke-MSOLSpray -UserList ./users.txt -Password Clippers22
MSOLSpraypassword sprayingMicrosoft 365cloud credential attack - Question #736Malware Analysis & Advanced Persistent Threats
A popular forum, where ICS techniques are discussed, loads scripts and ads from multiple external sites. Which attack can an adversary use to leverage this situation to attack this...
watering hole attackICS targetingdrive-by downloadtargeted attack - Question #737Incident Response & Cyber Kill Chain
What tool would an incident handler use to search for all autostart extensibility points (ASEPs) on a Windows host?
autorunsASEPSysinternalspersistence enumeration - Question #738Incident Response & Cyber Kill Chain
Which of the following actions can prevent the successful use of Metasploit against a Windows host?
application allowlistexploit preventionMetasploit defenseendpoint hardening - Question #739Malware Analysis & Advanced Persistent Threats
What action does the following command perform? C:\DefenderCheck.exe .\giac1.exe
DefenderCheckWindows DefenderAV bypassmalware analysis - Question #740Malware Analysis & Advanced Persistent Threats
The following screenshot is of a malicious file. Why is there a notice about upgrading Microsoft Word?
macro malwaresocial engineeringmacro enablementphishing lure - Question #741Vulnerability Exploitation & Privilege Escalation
Which of the following dumped hashes would be most useful to an attacker?
credential dumpingNTLM hashesWindows accountsprivilege escalation - Question #742Malware Analysis & Advanced Persistent Threats
An investigator performing an initial analysis of a memory image identified a suspicious URL while using the strings utility. A second investigator attempting to recreate the resul...
memory forensicsstrings utilityUnicode encodinglittle endian - Question #743Malware Analysis & Advanced Persistent Threats
The tools and techniques used in memory analysis closely resembles which other type of investigation?
memory analysismalware analysisvolatile forensicsdynamic analysis - Question #744Incident Response & Cyber Kill Chain
The following event snippet was recorded by which type of logging device? 1660582288.951 185 192.168.42.109 TCP_MISS/208 1856
web proxy logslog analysisTCP_MISSSquid proxy - Question #745Reconnaissance, Scanning, and Enumeration
Which of the following Metasploit module types would contain scanning capabilities?
Metasploitauxiliary modulesscanningenumeration - Question #746Vulnerability Exploitation & Privilege Escalation
Which of the following persistence techniques will be identified using the Autoruns utility?
persistence mechanismsAutorunsscheduled tasksWindows persistence - Question #747Vulnerability Exploitation & Privilege Escalation
What is the destination endpoint host for the SSH session shown below? ssh - L 1777:192.168.1.80:23 [email protected]
SSH tunnelinglocal port forwardingnetwork pivotinglateral movement - Question #748Incident Response & Cyber Kill Chain
During which phase of incident response would an analyst review the following data?
incident response phasespreparation phaseIR lifecyclePICERL - Question #749Incident Response & Cyber Kill Chain
Which of the following files would grow to a large size as a result of a brute force attack?
Linux authentication logsbtmpbrute force detectionfailed logins - Question #750Malware Analysis & Advanced Persistent Threats
Which malware investigation approach provides a detailed log of a system's file system, network, registry and process activities?
dynamic malware analysisbehavioral analysisprocess monitoringdebugging - Question #751Incident Response & Cyber Kill Chain
Which PowerShell cmdlet will display the command line parameters used to launch a Windows process?
PowerShell forensicsGet-CimInstanceprocess analysisWindows investigation - Question #752Cloud Incident Response & Threat Hunting
Which of the following logs could be queried to identify Azure, Amazon and Google storage use in an organization?
cloud storage detectionHTTP proxy logsshadow ITcloud service identification - Question #753Cloud Incident Response & Threat Hunting
Which Amazon AWS threat detection service monitors AWS accounts and workloads for malicious activity?
AWS GuardDutycloud threat detectionAWS securitymanaged detection - Question #754Vulnerability Exploitation & Privilege Escalation
What is the outcome of the command below? hashcat -m 0 -a 3 ntds.dat --potfile-path ntds.potfile -1 ?d?d?d?d?d?d
hashcatMD5 crackingbrute forcemask attack - Question #755Vulnerability Exploitation & Privilege Escalation
What hash type is being cracked in the command below? hashcat -m 1800 -a 0 customer.ntds wordlist.txt --potfile-path ./hashcat.potfile
hashcatSHA-512hash identificationpassword cracking - Question #756Reconnaissance, Scanning, and Enumeration
What would the following netcat command be used for? nc -V -W2 -z -p 53 192.168.193.33 21-112
netcatport scanningsource port spoofingnetwork reconnaissance - Question #757Incident Response & Cyber Kill Chain
What UNIX component can be used to enforce password complexity requirements?
PAMpassword complexityUnix authenticationsecurity hardening - Question #758Web Application Attacks & Post-Exploitation
Which web application log keyword would be associated with a SQL injection attack?
SQL injectionUNION keywordweb application logslog analysis - Question #759Malware Analysis & Advanced Persistent Threats
Which endpoint security bypass technique leverages existing system tools instead of adding executable?
Living Off the LandLOLBinsdefense evasionendpoint bypass - Question #760Reconnaissance, Scanning, and Enumeration
Based on the nmap data in the screenshot the analyst would choose which IP address for a DNS attack?
nmapDNS port 53target selectionnetwork reconnaissance - Question #761Reconnaissance, Scanning, and Enumeration
An attacker is hoping to discover as many IP addresses associated with a target domain as possible. Which command would be helpful?
DNS lookupnslookupIP enumerationdomain reconnaissance - Question #762Cloud Incident Response & Threat Hunting
The following output shows reconnaissance activity against which platform?
Azure reconnaissancecloud platform identificationthreat huntingcloud enumeration