GIAC GIAC Information Security GCIH Questions & Answers

• Question 11:

  Which of the following describes a suspicious event in the service data below? root@kali:~/volatility# ./vol.py -f ../mem/Desk005.vmem svcscan

  

  A. GREEN: Executables should not be run from temporary folders

  B. BLUE: Service names should be all capital letters

  C. PURPLE: Services should not be in the STOPPED state

  D. YELLOW: Option -k should be followed by -p for svchost

  Correct Answer: D

• Question 12:

  Which of the following Metasploit module types would contain privilege escalation capabilities?

  A. Auxiliary

  B. Exploit

  C. Post

  D. Payload

  Correct Answer: D

  Reference: https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/

• Question 13:

  What information is commonly found in both the header and the possession log of a Chain of Custody?

  A. Date and time the evidence was requested by the court

  B. Date and time the evidence was checked into evidence locker

  C. Date and time the evidence was initially collected

  D. Date and time the evidence is classified as reliable

  Correct Answer: B

• Question 14:

  An administrator needs to protect his organization's IIS webservers from Cross-Site Scripting attacks. Which action should he take?

  A. Use the Anti-XSS library from Microsoft

  B. Configure two-factor authentication for clients

  C. Use a random element when setting session cookies

  D. Configure application whitelisting on the IIS server

  Correct Answer: C

  Reference: https://www.sciencedirect.com/topics/computer-science/hidden-form-field

• Question 15:

  When probing for command injection opportunities on a remote host, why would an attacker target her own address space from the remote host?

  A. Collection of URL session tokens

  B. Legal requirement

  C. Verification of a blind attack

  D. Detect target's operating system

  Correct Answer: D

• Question 16:

  Examine the image below. What share would a user typically connect to when they execute the NET USE command below? C:\> net use \\10.0.10.123

  

  A. C$

  B. tmp

  C. IPC$

  D. ADMIN$

  Correct Answer: C

• Question 17:

  What built-in Windows tool can be used to collect Active Directory database data and the SYSTEM registry hive for off-line password cracking?

  A. ntdsutil

  B. procdump

  C. sysmon

  D. psinfo

  Correct Answer: A

  Reference: https://pure.security/dumping-windows-credentials/

• Question 18:

  How can a system be configured to ignore gratuitous ARPs for specific IP addresses?

  A. Use static routing to avoid ARP cache poisoning attacks

  B. Hard code the ARP table for specific IP addresses

  C. Use the "arp -deny" command

  D. Use DNS, which operates at the application layer, instead of ARP, which operates at the data link layer

  Correct Answer: B

  Reference: https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/task/interfaces-configuring-gratuitous-arp.html

• Question 19:

  What is the Linux administrator doing with the commands below?

  $ rpcclient -U fezzik florin rpcclient $> lsaenumsid

  A. Resolving SIDs to usernames on the target server

  B. Displaying the rights associated with a SID on the target server

  C. Listing the privileges associated with a SID defined locally on the target server

  D. Enumerating the SIDs of all users defined locally on the target server

  Correct Answer: C

  Reference: https://www.oreilly.com/library/view/using-samba-second/0596002564/re323.html

• Question 20:

  In addition to special characters, certain keywords in log files may indicate a SQL injection attack. Which words could indicate a SQL injection attack?

  A. "language=JavaScript", and "select"

  B. "