GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 17 of 17.
- Question #814Malware Analysis & Advanced Persistent Threats
Which of the following is a suspicious entry in the Volatility output attached?
Volatilitymemory forensicsorphan processesnetwork connection analysis - Question #815Vulnerability Exploitation & Privilege Escalation
Which step would an attacker likely take before using MSBuild.exe?
MSBuildLOLBinsC# payloadattack chain preparation - Question #816Vulnerability Exploitation & Privilege Escalation
Which tool can generate source code that can be used as a payload on a Windows system using the following command? msbuild.exe shellwrapper.csproj
msfvenomMSBuildpayload generationshellcode wrapper - Question #817Incident Response & Cyber Kill Chain
An analyst believes that an attacker used the built-in tool MSBuild to compile msfvenom code. What evidence can the analyst look for to test this theory?
MSBuildforensic evidenceLOLBinsliving off the land - Question #818Incident Response & Cyber Kill Chain
Which file is critical to remove from a domain controller after a password audit?
ntds.ditdomain controllerpassword auditcredential security - Question #819Reconnaissance, Scanning, and Enumeration
Which of the following commands will show programs set to autostart?
wmicautostart programspersistence detectionWindows enumeration - Question #820Incident Response & Cyber Kill Chain
What information security risk could be identified with the use of the DPAT tool?
DPATpassword auditingshared accountscredential analysis - Question #821Malware Analysis & Advanced Persistent Threats
An analyst finds that a malicious program contains the instructions add 10, eax followed by sub 10, eax. What technique was the attacker likely using?
ghostwritingcode obfuscationmalware evasionanti-analysis - Question #822Web Application Attacks & Post-Exploitation
How should an incident handler classify the following event shown in the output below?
directory traversalpath traversalweb attack classificationincident classification - Question #823Incident Response & Cyber Kill Chain
A Windows workstation was clean yesterday but now appears to be infected. Comparing the tasklist run at the last known good and the netstat run post event, which connection(s) in t...
process analysisnetstatmalware detectionWindows forensics - Question #824Reconnaissance, Scanning, and Enumeration
Which of the following accounts is an Administrator account?
Windows accountsprivilege identificationaccount enumerationActive Directory - Question #825Incident Response & Cyber Kill Chain
A popular forum for ICS professionals to discuss techniques includes code that loads scripts and ads from multiple external sites. How would an adversary leverage this forum to com...
watering-hole attackICS targetingdrive-by compromisespear phishing - Question #826Reconnaissance, Scanning, and Enumeration
An analyst notices a large amount of ICMP Time Exceeded packets logged on an outbound firewall interface. What is most likely occurring?
ICMPtraceroutenetwork reconnaissancepacket analysis - Question #827Vulnerability Exploitation & Privilege Escalation
Which of the following commands will immediately end a UNIX shell session without saving the history?
anti-forensicsbash historyevidence destructionLinux commands - Question #828Reconnaissance, Scanning, and Enumeration
An incident handler runs the following command on a Windows system. What information will be displayed? net localgroup administrators
Windows commandsnet localgrouplocal group enumerationprivilege enumeration - Question #829Vulnerability Exploitation & Privilege Escalation
An attacker compromises a user account on a Linux host. Running "sudo -l" gives the output shown in the screenshot. Which of the following commands would the attacker run next to c...
sudo exploitationLinux privilege escalationGTFOBinsgdb - Question #830Vulnerability Exploitation & Privilege Escalation
Analyze the sample of a report created with the DPAT tool. What conclusion can the analyst make?
DPATpassword analysispassword sharingpassword auditing - Question #831Reconnaissance, Scanning, and Enumeration
Which of the following is a purpose that an auditor would obtain a copy of the /etc/passwd file when performing a password audit of a linux machine?
/etc/passwdLinux user accountsaccount permission identificationpassword auditing - Question #832Reconnaissance, Scanning, and Enumeration
What does this command produce?
Windows enumerationdomain groupsnet commandsuser enumeration - Question #833Incident Response & Cyber Kill Chain
A company is acquiring another organization that has a single DNS server that is accessible to the internet. What is a good recommendation for the acquiring organization?
DNS securitysplit DNSDNS infrastructurezone transfer - Question #834Vulnerability Exploitation & Privilege Escalation
What john format should be specified to crack an 18 character Windows password?
password crackingNTLM hashJohn the RipperLANMAN limitations - Question #835Vulnerability Exploitation & Privilege Escalation
You have gained access to a Linux box. Which of the following methods would enable you to launch attacks against other systems and send the sessions back to your home PC (10.2.200....
netcat relaypivotingmkfifonetwork tunneling - Question #836Malware Analysis & Advanced Persistent Threats
Considering Volatility, why would psscan return more results than pslist?
Volatilitymemory forensicshidden processespsscan - Question #837Incident Response & Cyber Kill Chain
An organization has an SSH server that was compromised. Given the following evidence, what most likely occurred?
SSH compromisenetcat backdoorincident analysisbackdoor detection - Question #838Reconnaissance, Scanning, and Enumeration
For what purpose would an auditor obtain a copy of the /etc/passwd file for a password audit of a linux machine?
/etc/passwduser enumerationpassword auditLinux reconnaissance - Question #839Vulnerability Exploitation & Privilege Escalation
A consultant provides an organization with a report that contains their users' most popular passwords, data on password sharing, and a breakdown of password length by department. W...
DPATpassword reportingpassword analysis toolpassword auditing - Question #840Reconnaissance, Scanning, and Enumeration
Which command produced the following output?
net viewWindows enumerationSMB sharesnetwork reconnaissance - Question #841Incident Response & Cyber Kill Chain
Which of the processes, shown in the output below, should be prioritized for examination during live response? Command run: C:\> netstat -naob Output: see screen capture (irrelevan...
live responsenetstatsuspicious processesprocess analysis - Question #842Incident Response & Cyber Kill Chain
Which of the following statements describes the Volatility pstree plugin data shown in the image?
Volatilitymemory forensicsprocess treepstree plugin