GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 16 of 17.
- Question #763Vulnerability Exploitation & Privilege Escalation
A security examiner has been given permission by senior management to conduct a password audit. What should the examiner ensure after the process completes?
password auditingcredential managementpot filesoperational security - Question #764Reconnaissance, Scanning, and Enumeration
What is downloaded when the following command is executed? $ bucket_finder.rb words --download
S3 bucket enumerationbucket_findercloud storageAWS reconnaissance - Question #765Vulnerability Exploitation & Privilege Escalation
Which Windows process would an attacker target to steal credentials from a user who logs into applications with a Password Manager?
LSASScredential theftpassword managerWindows process - Question #766Incident Response & Cyber Kill Chain
What is the first decision point of an incident investigation?
incident investigationdecision pointsverificationincident response process - Question #767Web Application Attacks & Post-Exploitation
A victim visits a website that allows authenticated users to upload articles for other users to read. The victim logs in and clicks a link on the website's home page for a newly po...
stored XSScross-site scriptingweb application vulnerabilitymalicious code injection - Question #768Incident Response & Cyber Kill Chain
While examining multiple compromised systems, an investigator lists a priority for each machine based on executive input and the type of service and data each machine provides the...
triagingincident prioritizationinvestigative techniquecompromised systems - Question #769Incident Response & Cyber Kill Chain
Which activity helps readdress security tasks identified in past incident reports?
follow-up reviewafter actionsecurity tasksincident reporting - Question #770Vulnerability Exploitation & Privilege Escalation
Which of the following programs is used by John the Ripper to merge the /etc/passwd and /etc/shadow files?
John the Ripperunshadowpasswd shadow mergepassword cracking - Question #771Reconnaissance, Scanning, and Enumeration
What is the Linux administrator doing with the commands below? $ rpcclient -U fezzik florin rpcclient $> enumdomusers
rpcclientenumdomusersSMB enumerationWindows user enumeration - Question #772Reconnaissance, Scanning, and Enumeration
Which of the following can the rpcclient application do?
rpcclientSMBWindows interoperabilityRPC - Question #773Cloud Incident Response & Threat Hunting
An attacker with GCP cloud administrative access uses the Google gcloud and gsutil utilities to create a backup of a sensitive database for download. How would this attack be ident...
GCP audit logscloud forensicsgcloud gsutildata exfiltration detection - Question #774Reconnaissance, Scanning, and Enumeration
What task is a Windows administrator performing with the command below, executed from a file server with an IP address of 46.95.101.82? C:\> net session \\46.95.101.109 /del
net sessionSMB sessionWindows networkingsession management - Question #775Malware Analysis & Advanced Persistent Threats
How does the use of endpoint application allow lists impact malware attacks against the system?
application allowlistingmalware evasionobfuscationendpoint security - Question #776Malware Analysis & Advanced Persistent Threats
Which volatility plugin shows information about listening and closed sockets?
volatilitynetscan pluginmemory forensicsnetwork sockets - Question #777Vulnerability Exploitation & Privilege Escalation
What password characteristic could you require to eliminate the use of LANMAN hashes and restrict the local authentication to NT in a modern Windows system?
LANMAN hashNT hashpassword length policyWindows authentication - Question #778Incident Response & Cyber Kill Chain
What shortcoming of the traditional PICERL incident response model is addressed by adopting a dynamic incident response model like DAIR?
PICERLDAIRdynamic incident responselinear model limitation - Question #779Reconnaissance, Scanning, and Enumeration
Which activity is considered a direct and riskier form of reconnaissance?
active reconnaissancenmap scanpassive vs active reconrisk comparison - Question #780Web Application Attacks & Post-Exploitation
Which of the following SSH commands will start a SOCKS proxy server on the local system?
SSH SOCKS proxydynamic port forwardingtunnelingpivoting - Question #781Reconnaissance, Scanning, and Enumeration
Which of the following user accounts is the default Administrator account?
Windows admin accountsSID enumerationaccount identificationdefault credentials - Question #782Web Application Attacks & Post-Exploitation
A web application receives the following input from a malicious request. What is the attacker attempting to do? select accountbalance from user where name = jake' OR 'z'='z';
SQL injectionauthentication bypasstautology attackdatabase enumeration - Question #783Vulnerability Exploitation & Privilege Escalation
Which command is an indication of post-exploitation persistence?
post-exploitationpersistenceprivilege escalationmeterpreter - Question #784Reconnaissance, Scanning, and Enumeration
What is the purpose of the application rpcclient?
rpcclientSMB enumerationnetwork toolsWindows shares - Question #785Web Application Attacks & Post-Exploitation
Analyze the included screenshot. What is a best practice to mitigate against this type of event?
SQL injection mitigationparameterized queriesinput validationsecure coding - Question #786Reconnaissance, Scanning, and Enumeration
Why is a nmap SYN scan useful for network scanning?
nmapSYN scanstealth scanninghalf-open scan - Question #787Cloud Incident Response & Threat Hunting
After running the command shown below, which output field contains the user's cleartext account name? aws sts get-caller-identity
AWS STSIAM identitycloud enumerationARN - Question #788Vulnerability Exploitation & Privilege Escalation
What action is being performed in the following session?
Active Directorycredential dumpingNTDSpassword hashes - Question #789Reconnaissance, Scanning, and Enumeration
What goal would an attacker achieve with the following Set of commands?
target discoverynetwork reconnaissancehost enumerationping sweep - Question #790Reconnaissance, Scanning, and Enumeration
What does the following command do? nc -v -z 192.168.40.90 1-1024
netcatport scanningwell-known portsbanner grabbing - Question #791Incident Response & Cyber Kill Chain
Which of the following is shown in the screenshot?
RITAanomaly detectionnetwork traffic analysisthreat hunting - Question #792Incident Response & Cyber Kill Chain
Which of the following will record web sites visited and web applications used for incident response analysis?
Squid proxyweb loggingincident responseforensic evidence - Question #793Incident Response & Cyber Kill Chain
What does the term any instruct tcpdump to capture in the following command? tcpdump -A -i any 'port 21 && host 192.168.100.1'
tcpdumppacket capturenetwork interfacetraffic analysis - Question #794Malware Analysis & Advanced Persistent Threats
A Windows workstation was clean a few days ago but now appears to be infected. Based on results from tasklist, which was run last week, which connection or connections shown in net...
malware detectionprocess analysislsass injectiontasklist forensics - Question #796Web Application Attacks & Post-Exploitation
What is a common characteristic of both a watering hole attack and a drive-by attack?
watering hole attackdrive-by downloadbrowser exploitationclient-side attacks - Question #797Vulnerability Exploitation & Privilege Escalation
What password attack uses a stolen password breach list?
credential stuffingpassword attacksbreach listsaccount takeover - Question #798Malware Analysis & Advanced Persistent Threats
Which of the following describes code wrapping?
code wrappingmalware obfuscationscript embeddingevasion technique - Question #799Reconnaissance, Scanning, and Enumeration
Based on the results below what type of nmap scan was run?
nmapOS detectionscan type identificationTCP/IP fingerprinting - Question #800Web Application Attacks & Post-Exploitation
A victim browses to a news aggregator website through a link sent to them by an attacker. The attacker then alters the page delivered to the victim's browser and includes malicious...
reflected XSScross-site scriptingbrowser injectionweb vulnerability - Question #801Reconnaissance, Scanning, and Enumeration
Which Windows command cruted the output below?
netstatestablished connectionsWindows commandsTCP enumeration - Question #802Vulnerability Exploitation & Privilege Escalation
An attacker at IP address 11.22.33.44 set up a reverse shell so he could execute commands on a server (internal IP address 192.168.20.21) that sits behind a site firewall blocking...
reverse shellnetcatfirewall bypassoutbound tunneling - Question #803Cloud Incident Response & Threat Hunting
With what frequency does the AWS API Gateway assign a new IP address?
AWS API GatewayIP rotationcloud evasionreconnaissance - Question #804Reconnaissance, Scanning, and Enumeration
Which of the following describes OSINT?
OSINTpassive reconnaissanceinformation gatheringopen source intelligence - Question #805Reconnaissance, Scanning, and Enumeration
Using the command below, to which share will the user be connected on 192.168.99.10? C:\> net use \\192.168.99.10
net useIPC$Windows admin sharesSMB - Question #806Cloud Incident Response & Threat Hunting
Which would be the ideal system for conducting analysis during cloud investigations?
cloud forensicsservice accountsinvestigation isolationforensic environment - Question #807Web Application Attacks & Post-Exploitation
What type of attack is being attempted in the following image?
SQL injectionweb attack identificationattack classificationweb application - Question #808Incident Response & Cyber Kill Chain
How should an incident handler classify the following event shown in the output below?
SQL injectionincident classificationevent analysisweb attacks - Question #809Malware Analysis & Advanced Persistent Threats
An administrator runs the following command. What should be their next step based on the output shown?
Base64 encodingprocess analysisPowerShell obfuscationmalware triage - Question #810Incident Response & Cyber Kill Chain
What would a forensic analyst extract from the following registry key? HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions
SRUMregistry forensicsWindows artifactssystem activity logging - Question #811Incident Response & Cyber Kill Chain
What can be inferred from the results below?
log analysisadministrative accountsprivilege detectionaccount investigation - Question #812Incident Response & Cyber Kill Chain
What is an incident handler looking for when executing the PowerShell command below? Get-ItemProperty 'HKLM:Software\Microsoft\Windows\CurrentVersion\Run'
registry run keypersistenceautostart programsPowerShell forensics - Question #813Malware Analysis & Advanced Persistent Threats
How do DNS tunneling tools like DNSCat2 avoid DNS caching?
DNS tunnelingDNSCat2C2 communicationcache evasion