GIAC-GCIH

During which phase of incident response would an analyst review the data below?

How could an attacker set up a persistent backdoor listener to a login shell on TCP port 53 using netcat on a Linux system?

As indicated in the following image, an analyst runs the dir and more commands. What can the analyst conclude about Judges.txt?

Which file type can be used to execute code in Excel without issuing a warning about opening a macro-supporting file type?

What version of Windows natively supports SMB encryption?

Which of the following netcat commands will connect to tcp port 2222 on a remote system (10.0.0.1)?

Jill ran the following command below against a DNS server.But the command did not work. What other command can Jill use to accomplish the same task?

Which of the following commands will identify hidden file streams within the C:\Documents folder?

Observe the following command; what is the analyst doing?

What happened in the following screenshot?

When would a web-based reconnaissance tool be preferred over a direct/local reconnaissance tool?

Which of the following network applications is better suited for using a connection-oriented protocol than a stateless protocol?

Nathan is examining the security event log on a file server that contains sensitive data. He finds a number of Event ID 1234s with substatus code 0xC000006A.There are 4 or less failures against any individual account. Which type of password attack is indicated by these events?

Which of the following statements describes the data below from volatility's pstree plugin?

Which of the following Metasploit tools will generate a payload that can be introduced to a Windows system as shown in the image?

Which UNIX log file contains information about currently logged in users?

Which volatility plugin shows the command line path for a recently launched application?

What is the definition of an event as it applies to incident handling?

What hash type is being cracked in the command below?hashcat -m 1000 -a 0 customer.ntds wordlist.txt --potfile-path ./hashcat.potfile

Which of the following occurs when a penetration tester attempts to connect to a host with the following command? net use \\192.168.44.213

A security auditor is using John the Ripper to review password strength on Windows machines. The auditor knows that the company requires a 15-character minimum in their passwords. In this scenario, what format parameter must be passed to John (with Jumbo Patch) to crack the passwords?

Which of the following is the most effective technique for identifying live client systems on a LAN?

Which of the following squid proxy log fields is easiest for an attacker to spoof?

A responder runs the two commands below looking for the number of lines that contain the word powershell. Which of the following is a reason why the output is different between the two plugins?

An attacker has tricked a user into executing content he placed on a social networking site. The malicious content executes in the victim's browser and allows the attacker to determine if machines behind the user's firewall are up and running. What type of attack is this?

Following the recent acquisition of a new business, your manager asks you to investigate their DNS service and report back on its status. He is concerned as they only have one DNS server in the organization and it is visible on the Internet. What actions and recommendations should be taken as a first step?

A system administrator finds the entry below in an Apache log. What can be done to mitigate against this?192.168.116.201 - - [22/Apr/2016:13:43:26 -0400] `GET http://www.giac.org%2Farticles.php%3Fid%3D3+and+%28select+1+from+mysql.user+limit+0%2C1%29%3D1HTTP/1.1` 200 453 `-` `Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0`

What is the Linux administrator doing with the commands below?$ rpcclient -U fezzik florinrpcclient $> lsaenumsid

When probing for command injection opportunities on a remote host, why would an attacker target her own address space from the remote host?

An administrator needs to protect his organization's IIS webservers from Cross-Site Scripting attacks. Which action should he take?