GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 8 of 17.
- Question #361Vulnerability Exploitation & Privilege Escalation
Which of the following tools can be used to force password complexity in Linux?
PAMpassword complexityLinux authenticationaccess control - Question #362Reconnaissance, Scanning, and Enumeration
What will the following Enum command display? C:\> enum '"G 127.0.0.1 -
enum toolWindows enumerationgroup enumerationNetBIOS - Question #363Web Application Attacks & Post-Exploitation
A user is asking for an upgrade to Internet Explorer, because he constantly gets annoying windows popping up whenever he visits his online banking site from his laptop when on the...
DNS spoofingMITM attackSSL certificate warningsnetwork interception - Question #364Incident Response & Cyber Kill Chain
You are in the process of recovering from an incident where a web server and database server were severely compromised due to a lack of patching. Both servers have been rebuilt and...
incident recoverypatch managementpost-incident recommendationssystem restoration - Question #365Reconnaissance, Scanning, and Enumeration
Analyze the nmap results shown. What is the first step the security administrator should take?
nmapport scanningservice enumerationnetwork analysis - Question #366Incident Response & Cyber Kill Chain
If an accounting department's computer system was compromised, who should make the decision about when that system is put back into production?
incident response rolessystem ownerrecovery decisionIR governance - Question #367Reconnaissance, Scanning, and Enumeration
Which of the following commands would set up an administrative session with a remote system and mount 'one' on your system?
net useSMBWindows file sharingremote administration - Question #368Incident Response & Cyber Kill Chain
A helpdesk ticket has been escalated to the incident response team. According to the FIRST organization classification guidelines, during which incident response phase should the t...
incident classificationFIRST guidelinescontainment phaseIR documentation - Question #369Reconnaissance, Scanning, and Enumeration
Failing DNS, what will modern Windows systems use to resolve names of other systems?
WINSDNS fallbackname resolutionWindows networking - Question #370Vulnerability Exploitation & Privilege Escalation
Which tool is used to provide 128-bit encryption of passwords?
SYSKEYWindows password encryptioncredential storage128-bit encryption - Question #371Incident Response & Cyber Kill Chain
The incident response team has been working with the various systems teams to find a way to gain root access to systems in event of an incident. It has been proposed that the syste...
privileged accessincident response procedurespassword managementVMware security - Question #372Malware Analysis & Advanced Persistent Threats
What can you do to proactively protect against DLL injection on your organization's Exchange server?
DLL injectionfile permissionsdefense hardeningWindows security - Question #373Incident Response & Cyber Kill Chain
Which of the following is ALWAYS a good guideline for incident response processes?
IR best practicesteam coordinationevidence integrityincident handler roles - Question #374Vulnerability Exploitation & Privilege Escalation
How does an attacking host initiate a SYN flood attack?
SYN floodDoS attackTCP handshakeIP spoofing - Question #375Malware Analysis & Advanced Persistent Threats
Attackers are trying to connect from an internal host they have compromised to their own host on the Internet. They can ping their external host, but cannot connect. What should th...
ICMP tunnelingdata exfiltrationcovert channelfirewall evasion - Question #376Malware Analysis & Advanced Persistent Threats
Why would an analyst run the following command on a host they suspect is compromised? C:\> c:\temp\lads\lads /S c:\Windows\System32
alternate data streamsNTFSLADS toolforensic analysis - Question #377Incident Response & Cyber Kill Chain
What is one indication that someone is running a Windows event log editing tool on your server?
event log tamperingWindows event logsanti-forensicslog integrity - Question #378Incident Response & Cyber Kill Chain
As an incident handler for the xyz widget company, you have responded to the breach of your mail server. The server is not in a DMZ but on your internal network and was being used...
forensic imagingdd toolevidence collectioncontainment sub-phases - Question #379Web Application Attacks & Post-Exploitation
During the identification phase of a potential incident, you examine the logs of a web server, which are full of lines like the one displayed below. During the preparation phase, w...
XSS preventioninput validationencoding schemesweb application security - Question #380Incident Response & Cyber Kill Chain
Which of the following occurs during the recovery phase of an incident?
recovery phaseIR lifecyclesystem restorationincident response phases - Question #381Reconnaissance, Scanning, and Enumeration
If an attacker is attempting to use the Kaminsky method of DNS cache poisoning, what is the maximum number of unique Query IDs which must be presented to the victim DNS server befo...
DNS cache poisoningKaminsky attackQuery IDDNS spoofing - Question #382Incident Response & Cyber Kill Chain
Which file contains information about past successful user logins on Unix systems?
Unix log fileswtmpuser login historylog analysis - Question #383Reconnaissance, Scanning, and Enumeration
Which tool can be used to sniff probe requests from wireless clients, and pretends to be the access point the client is seeking?
fake access pointKarmetasploitprobe requestswireless attacks - Question #384Vulnerability Exploitation & Privilege Escalation
Below is a Unix system configuration file below which sets kernel parameters upon booting. Which parameter did the systems administrator set as a defense against buffer overflow at...
buffer overflow defensenoexec_user_stackkernel parametersstack protection - Question #385Incident Response & Cyber Kill Chain
Observe the following command; what is the analyst doing? $ rekal '"f /cases/20160726_39/RAM/memimage.dd
memory forensicsRekallvolatile evidencememory analysis - Question #386Malware Analysis & Advanced Persistent Threats
Which of the following accurately describes a 'Bot'?
botnetbot definitionmalware typesautomation - Question #387Malware Analysis & Advanced Persistent Threats
Which of the following accurately describes the difference between worms and viruses?
wormsvirusesmalware propagationself-replication - Question #388Incident Response & Cyber Kill Chain
In a network switch, what is the benefit of comparing the MAC address of a host to a known list of DHCP assignments?
DHCP snoopingrogue DHCPMAC address validationnetwork defense - Question #389Reconnaissance, Scanning, and Enumeration
One type of FTP scan allows you to find a weakness in a certain type of firewall. These firewalls will allow an FTP data connection to take place, even though the FTP control conne...
FTP bounce scanstateless firewallpacket filteringFTP ports - Question #390Incident Response & Cyber Kill Chain
Regardless of the initial compromise or type of incident, which step is always a good practice during the Recovery phase of the Incident Handling Process?
incident handlingrecovery phasedata owner verificationIR process - Question #391Incident Response & Cyber Kill Chain
You are a member of your organization's IT security team. Your team has limited resources, so investigating every suspicious event is impossible. Which one of the following items,...
netstat analysissuspicious processesmalware detectionnetwork connections - Question #392Incident Response & Cyber Kill Chain
You are responding to an incident in which the organization's Extranet server has been compromised. The Extranet is the browser home page for most users in the organization. You ha...
incident containmentDNS redirectionserver isolationbusiness continuity - Question #393Reconnaissance, Scanning, and Enumeration
To defend against network mapping, which of the following packets should be denied at the border router?
ICMP filteringnetwork mapping defenseborder routerport unreachable - Question #394Vulnerability Exploitation & Privilege Escalation
As related to buffer overflows, what is the purpose of the Instruction Pointer?
buffer overflowinstruction pointerCPU registersmemory exploitation - Question #395Vulnerability Exploitation & Privilege Escalation
You just acquired admin rights on a remote machine and gained remote access. What techniques would you use to determine if it is a virtual machine?
VM detectionvirtualization artifactsregistry analysispost-compromise analysis - Question #396Vulnerability Exploitation & Privilege Escalation
An attacker wants to intercept their target's network traffic using ARP cache poisoning. How should the attacker setup IP forwarding?
ARP cache poisoningIP forwardingMITM attacktraffic interception - Question #397Reconnaissance, Scanning, and Enumeration
Which Wireless LAN discovery tool uses active scanning in order to detect wireless networks?
wireless discoveryNetStumbleractive scanningWLAN tools - Question #398Reconnaissance, Scanning, and Enumeration
Which stage of an attack typically involves little or no direct interaction with the attack target(s)?
attack lifecyclereconnaissancepassive reconnaissancekill chain phases - Question #399Vulnerability Exploitation & Privilege Escalation
Computer 'remus' has traffic coming in on port 53. You want to forward the traffic to system 'romulus' on port 1234. Which command would you run on 'remus' to complete this task?
netcatport forwardingtraffic redirectionpost-exploitation tools - Question #400Vulnerability Exploitation & Privilege Escalation
Which tool is designed to provide shell access over ICMP?
ICMP tunnelingLokicovert channelshell access - Question #401Vulnerability Exploitation & Privilege Escalation
When using a Netcat backdoor listener for shell access, what userID will the commands be executed as?
Netcatbackdoor listenershell accessuser privileges - Question #402Incident Response & Cyber Kill Chain
A SOC analyst is reviewing event logs from several network devices across the enterprise and notices that there are an abnormally high number of logon attempts across the desktop s...
SOC analysisbrute force detectionlog reviewincident escalation - Question #403Reconnaissance, Scanning, and Enumeration
An analyst runs the following nmap scan from their Linux computer as a non-privileged user. The target host, 10.0.233.2, has tcp/445 open. What network traffic would be generated b...
nmapTCP connect scannon-privileged scanningnetwork traffic - Question #404Malware Analysis & Advanced Persistent Threats
MyDoom, Zotob, and Blaster are all examples of what type of malware?
wormsmalware classificationnetwork propagation - Question #405Incident Response & Cyber Kill Chain
An incident handler investigating abnormal system behavior has captured traffic from two client workstations. Both clients sent dozens of SYN packets to an external host WW3.ACME.N...
network traffic analysiscovert channelC2 communicationpacket crafting - Question #406Incident Response & Cyber Kill Chain
A client wants a system so that they can monitor connection queues on network equipment for too many half-open connections, as well as look for bandwidth consumption from the same...
SYN floodhalf-open connectionsDoS detectionnetwork monitoring - Question #407Incident Response & Cyber Kill Chain
If virtual machines are relatively easy for an attacker to detect, the next best thing might be to put so much honey in your honeypot, attackers won't be able to resist. Which acti...
honeypotdeception technologyattacker luringsecurity monitoring - Question #408Reconnaissance, Scanning, and Enumeration
Which reconnaissance source would you expect to provide the information in the below screen capture?
whoisOSINTpassive reconnaissance - Question #409Incident Response & Cyber Kill Chain
A company requires employees to sign an acknowledgement of the organization's security policy when they are hired. An employee with email access used the company's mail server to t...
unauthorized useemail spoofingacceptable use policypolicy violation - Question #410Incident Response & Cyber Kill Chain
If law enforcement asks you to perform an action on their behalf, what might require before rendering assistance?
legal requirementscourt orderlaw enforcement cooperation