GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 9 of 17.
- Question #411Vulnerability Exploitation & Privilege Escalation
Assuming you use each program listed, of the choices listed below, which represents the BEST defense against protocol parser vulnerabilities?
protocol parser vulnerabilitiestcpdumppatch managementnetwork tools - Question #412Reconnaissance, Scanning, and Enumeration
What is a war dialer?
war dialingmodem detectionphone reconnaissance - Question #413Incident Response & Cyber Kill Chain
Organizations with a requirement for high security may provide their workers a single computer with multiple guest operating systems installed. Each guest is allowed access to a ne...
virtual machine securitynetwork isolationguest-host separation - Question #414Reconnaissance, Scanning, and Enumeration
Observe the image below for context. Which of the following steps would be next in the process of reconnaissance?
DNS zone transferdig commandDNS reconnaissance - Question #415Incident Response & Cyber Kill Chain
As an employee of Enfield & Sons, you have been tasked with adding a warning banner to computer systems. You develop the below warning banner. What should be your next step? 'Warni...
warning bannerlegal reviewsecurity policycompliance - Question #416Incident Response & Cyber Kill Chain
A new helpdesk employee at a multinational corporation took it upon himself to test the security of the servers that holds highly confidential information regarding specific govern...
physical securityaccess controlinsider threatserver room - Question #417Malware Analysis & Advanced Persistent Threats
An attacker designs malware to remain dormant when it detects a shifted interrupt descriptor table. On which of the following hosts would this malware remain dormant?
VM detectioninterrupt descriptor tableanti-analysismalware evasion - Question #418Incident Response & Cyber Kill Chain
You are a member of your organization's security team. A new ticket just came into your service desk and was escalated to you. One of the system administrators noticed the followin...
Windows event logaudit failureincident containmentprivilege use - Question #419Web Application Attacks & Post-Exploitation
What is the best approach to successfully filter out potentially harmful characters from user input?
input validationallowlist filteringinjection prevention - Question #420Incident Response & Cyber Kill Chain
Which of the following tasks would take place during the incident containment phase?
incident containmentIPS rulesincident response phasesDoS mitigation - Question #421Web Application Attacks & Post-Exploitation
When launching a SQL Injection attack, what characters might an attacker start experimenting with first?
SQL injectionspecial charactersinput manipulationweb attacks - Question #422Reconnaissance, Scanning, and Enumeration
When performing reconnaissance what is a good way to speed up the process and collect results from many different search engines at once?
SearchDiggityOSINTsearch engine aggregationreconnaissance tools - Question #423Malware Analysis & Advanced Persistent Threats
Why should organizations consider disabling auto-run as part of their Windows system hardening baselines?
auto-runremovable mediamalware propagationsystem hardening - Question #424Reconnaissance, Scanning, and Enumeration
The screenshot from Kismet below shows details of a WiFi network with SSID Cloaking enabled. How was Kismet able to collect the SSID information?
KismetSSID cloakingwireless reconnaissance802.11 probes - Question #425Incident Response & Cyber Kill Chain
The Network Operations Center has identified and escalated an active denial of service incident on the mail server and several externally facing web sites to the security team for...
incident responsedenial of serviceNOC proceduresescalation - Question #426Reconnaissance, Scanning, and Enumeration
Unix files beginning with which of the following characters are considered hidden?
Unix hidden filesdot filesfile systemenumeration - Question #427Incident Response & Cyber Kill Chain
Which of the following makes it difficult to block the source of DNS amplification attacks?
DNS amplificationUDP spoofingDDoSIP spoofing - Question #428Incident Response & Cyber Kill Chain
What is the goal of the containment phase of incident handling?
containment phaseincident handlingincident response lifecycle - Question #429Reconnaissance, Scanning, and Enumeration
With the screenshot below, what is the penetration tester likely looking for?
web archiveOSINTdeleted contentpassive reconnaissance - Question #430Incident Response & Cyber Kill Chain
Which of the following incident handling mistakes would occur as part of the eradication phase?
eradication phasere-infection preventionincident handlingmistakes - Question #431Incident Response & Cyber Kill Chain
During the eradication phase, what information should be analyzed to determine the cause and symptoms of an incident?
eradication phaseidentification phasecontainment phaseincident analysis - Question #432Vulnerability Exploitation & Privilege Escalation
A sysadmin would use SYSKEY to accomplish which objective?
SYSKEYpassword hash encryptionWindows securitycredential storage - Question #433Web Application Attacks & Post-Exploitation
Many of your company's customers have been complaining that their web forum accounts have been compromised, so you have been asked to investigate. After creating an account as a no...
session IDdigital signingsession hijackingweb application security - Question #434Incident Response & Cyber Kill Chain
Deleting an attacker's scheduled tasks on a victim host is something that would typically occur during which phase of incident handling?
eradication phasescheduled tasksattacker persistenceincident handling - Question #435Vulnerability Exploitation & Privilege Escalation
Why was Shellshock a threat to platforms like DHCP servers and home WiFi routers in addition to web servers?
Shellshockbash vulnerabilityCVE exploitationcommand injection - Question #436Incident Response & Cyber Kill Chain
Analyze the image below. In which stage of the attack process is the attacker operating?
covering tracksattack lifecyclecyber kill chainlog manipulation - Question #437Incident Response & Cyber Kill Chain
A systems administrator notices an increase in errors in a DNS server log. Further investigation determines the errors are related to incoming DNS packets with incorrect query ID's...
DNS cache poisoningquery ID spoofingDNS attacksnetwork analysis - Question #438Malware Analysis & Advanced Persistent Threats
Several fully patched machines from different vendors are found to be compromised. The only processes that contacted the network prior to the compromise were automatic software upd...
evilgradeauto-update attacksupply chain compromiseman-in-the-middle - Question #439Malware Analysis & Advanced Persistent Threats
Which of the following is a common method for hosts to be infected with bot software?
botnetwormsmalware propagationbot infection - Question #440Web Application Attacks & Post-Exploitation
You are investigating a potential web server compromise involving user authentication. During the identification phase, you examine the web server log file and find thousands of li...
XSScross-site scriptingcookie theftsession hijacking - Question #441Reconnaissance, Scanning, and Enumeration
Out of the following, which is the most effective way to protect against rogue modems and the risk they introduce?
war dialingrogue modemsegress filteringdial-up security - Question #442Reconnaissance, Scanning, and Enumeration
What can be concluded from the picture below?
ICMP time exceededtraceroutenetwork topologyrouter behavior - Question #443Reconnaissance, Scanning, and Enumeration
What is the third step in the three-way handshake?
TCP three-way handshakeACK flagconnection establishmentTCP/IP fundamentals - Question #444Malware Analysis & Advanced Persistent Threats
How does a worm utilize the Warhol/Flash technique?
worm propagationWarhol techniqueFlash wormprescan targeting - Question #445Vulnerability Exploitation & Privilege Escalation
Becky is reviewing the password policy for the Firm's Windows network. She would like to make the password minimum length 15 characters. What will be the effect of this change?
LANMAN hashNTLM hashpassword policyWindows authentication - Question #446Malware Analysis & Advanced Persistent Threats
An investigation led to the identification of several systems showing suspicious activity. At regular time intervals, the systems send data over port 80 to different external hosts...
fast fluxbotnet C2port 80 beaconingdynamic DNS evasion - Question #447Incident Response & Cyber Kill Chain
Which of the following is recommended to include in your incident response jump bag?
incident responsenetwork TAPjump bagpassive monitoring - Question #448Incident Response & Cyber Kill Chain
After a system that was compromised in an incident is brought back into production, which part of the incident handling process must be done?
incident handlingpost-recovery monitoringeradicationreinfection detection - Question #449Reconnaissance, Scanning, and Enumeration
Which Win32 based command will display DNS record names and types, as well as the current time to live for the record?
DNS cacheipconfigWindows DNS commandsTTL records - Question #450Malware Analysis & Advanced Persistent Threats
View the following screen capture. Which of the following security mechanisms detected downloader.exe as a possible threat?
host-based detectionsystem-level protectionmalware detection layersdownloader malware - Question #451Cloud Incident Response & Threat Hunting
Following a virtual machine escape attack, a rebuilt Windows server hosting multiple VMWare guests is placed on a protected VLAN for monitoring. What activity would indicate that t...
VM escapehypervisor exploitationVMware securityvirtualization threats - Question #452Reconnaissance, Scanning, and Enumeration
What will a host do when it receives a packet with an invalid TCP checksum?
TCP checksumpacket validationinvalid packet handlingTCP/IP stack - Question #453Reconnaissance, Scanning, and Enumeration
The target company's IP range is 151.113.0.0/16 and their border router's ASN (autonomous system numbers) includes their entire IP range. An attacker stands up their own border rou...
BGP hijackingASN spoofingrouting attacksIP prefix hijack - Question #454Malware Analysis & Advanced Persistent Threats
Analysis of malicious code identifies a function that searches for specific processes and hardware on a victim host. If the processes or hardware are found, the malicious executabl...
VM detectionsandbox evasionanti-analysisprocess enumeration - Question #455Web Application Attacks & Post-Exploitation
Which of the following can be done using Covert_TCP's built in functionality?
Covert_TCPcovert channelsdata exfiltrationTCP header steganography - Question #456Reconnaissance, Scanning, and Enumeration
The penetration testing team is attempting to intercept DNS queries and poison the ARP cache of the Windows host at the IP address of 192.168.10.205. Their testing platform has the...
ARP poisoningnetwork segmentationsubnet routingARP broadcast domain - Question #457Incident Response & Cyber Kill Chain
Which of the following is the most effective at eradicating a system infected with a Rootkit?
rootkit eradicationOS reinstallationincident recoverysystem wipe - Question #458Reconnaissance, Scanning, and Enumeration
Which of the following could help prevent the threat of an external entity mapping a network's internal systems and filtering rules?
network mapping defenseproxy serverinternal topology concealmentreconnaissance countermeasure - Question #459Web Application Attacks & Post-Exploitation
Which Windows tool can be used to view the contents of the following file directly in the command shell? C:\Users\JaneD\funnyjokes.doc:file1
alternate data streamsNTFS ADSWindows file systemhidden file access - Question #460Reconnaissance, Scanning, and Enumeration
Which technique allows an attacker logged into a computer attached to switch port 8 to see traffic sent to hosts on other ports?
CAM table floodMAC floodingswitch securitytraffic interception