SANS GCIH (SEC504) Exam Questions
and Answers
Who should make the decision of when to put a system back into production?
A) Systems administrators
B) Business team
C) Security team
D) Data owner - Answers -B) Business team
Which command will display ASCII and Unicode strings within a malware sample?
A) cat
B) Get-Strings
C) strings
D) findstr - Answers -C) strings
Which type of system is most commonly used to investigate malware?
A) Virtual machine
B) Day-to-day host
C) Thick client
D) Production system - Answers -A) Virtual machine
If you believe your system has been the victim of a rootkit attack, what is the most cost-
effective form of eradication?
A) Restore the OS from the most recent backup.
B) Reformat, reinstall, and patch the system from the original media.
C) Patch and reboot the compromised system.
D) Install applications from a different vendor. - Answers -B) Reformat, reinstall, and
patch the system from the original media.
What tool is used to record the state of the registry before and after malware is
executed on an analysis system?
A) Regshot
B) Ollydbg
C) Wireshark
D) Regripper - Answers -A) Regshot
,What method could be used to ensure that an asset under investigation is not put back
into production without approval before the investigation is complete?
A) Move the asset to a different cloud data center.
B) Terminate the asset.
C) Shut off all administrative access to the cloud environment so no admins can make
changes.
D) Add an "under investigation" tag to the asset. - Answers -D) Add an "under
investigation" tag to the asset.
During the remediation phase of incident response, you remove a file from your infected
web server. What is the most important additional thing to do to prevent being
compromised again?
A) Determine the root cause of the attack.
B) Review your host-based firewall rules.
C) Restore the host data from backups.
D) Apply patches and harden the system. - Answers -A) Determine the root cause of the
attack.
What is a bucket squatting attack?
A) Scanning for buckets with public access.
B) Exfiltrating data using cloud storage buckets.
C) Uploading and using web shells against buckets with public writable permissions.
D) Registering a bucket that uses an organization name. - Answers -D) Registering a
bucket that uses an organization name.
Which command can be used to find Azure storage instances?
A) bucket_finder.rb words --download
B) gcpbucketbrute.py -u -k names
C) basicblobfinder.py namelist
D) gsutil ls gs://findit - Answers -C) basicblobfinder.py namelist
Basic Blob Finder is a tool used to scan for and identify Azure Blobs. Since Azure Blobs
are identified by an account name and a container name, Basic Blob Finder accepts a
list of strings, optionally separated by a colon. Entries of a single string are used as both
the account name and the container name; entries with a colon delimit the account
name and the container name. Basic Blob Finder will identify publicly accessible Azure
Blobs and enumerate the files in the Blob.
What is the first step attackers take when engaging in a password-cracking attack
against an organization?
A) Access high-value targets.
, B) Crack password hashes for as long as necessary.
C) Dump available password hashes.
D) Exploit a low-value target. - Answers -D) Exploit a low-value target.
Attackers will commonly seek to exploit a system of low-to-medium importance as the
first step in cracking passwords. A system of lower importance is less likely to be
hardened against attacks, less likely to be closely monitored, and may even be
relatively neglected. This makes the system of lower importance an ideal target to
exploit and gain a foothold, dumping all available password hashes, cracking those
hashes, and reusing the recovered passwords to access high-importance targets
Which of the following is a program that can move data across a network using user-
assigned TCP or UDP ports and works on Windows, Mac, and Linux?
A) Nmap
B) Netcat
C) ping
D) SCP - Answers -B) Netcat
Why is performing memory analysis on RAM images a staple of investigations?
A) Valuable information may exist in RAM, which might not be found on disk.
B) Speed - Evidence from a RAM image will match disk content.
C) RAM provides more consistent images than disk.
D) It's easier to look for historical information in RAM than on disk. - Answers -A)
Valuable information may exist in RAM, which might not be found on disk.
An investigator identifies the following POST request. Which log recorded the activity?
1583050850.951 185 192.168.40.123 TCP_MISS/200 1856 POST
https://update.googleapis.com/service/update2? -ORIGINAL_DST/172.219.10.153
text/xml
A) Switch access log
B) Regshot event log
C) Proxy access log
D) Windows event log - Answers -C) Proxy access log
What are two basic approaches commonly employed when investigating malware?
A) Running a penetration test and running a vulnerability scan.
B) Monitoring the environment and examining code.
C) Taking the environment offline and restoring from backups.
D) Performing a risk assessment and confirming a possible exploit type. - Answers -B)
Monitoring the environment and examining code.
and Answers
Who should make the decision of when to put a system back into production?
A) Systems administrators
B) Business team
C) Security team
D) Data owner - Answers -B) Business team
Which command will display ASCII and Unicode strings within a malware sample?
A) cat
B) Get-Strings
C) strings
D) findstr - Answers -C) strings
Which type of system is most commonly used to investigate malware?
A) Virtual machine
B) Day-to-day host
C) Thick client
D) Production system - Answers -A) Virtual machine
If you believe your system has been the victim of a rootkit attack, what is the most cost-
effective form of eradication?
A) Restore the OS from the most recent backup.
B) Reformat, reinstall, and patch the system from the original media.
C) Patch and reboot the compromised system.
D) Install applications from a different vendor. - Answers -B) Reformat, reinstall, and
patch the system from the original media.
What tool is used to record the state of the registry before and after malware is
executed on an analysis system?
A) Regshot
B) Ollydbg
C) Wireshark
D) Regripper - Answers -A) Regshot
,What method could be used to ensure that an asset under investigation is not put back
into production without approval before the investigation is complete?
A) Move the asset to a different cloud data center.
B) Terminate the asset.
C) Shut off all administrative access to the cloud environment so no admins can make
changes.
D) Add an "under investigation" tag to the asset. - Answers -D) Add an "under
investigation" tag to the asset.
During the remediation phase of incident response, you remove a file from your infected
web server. What is the most important additional thing to do to prevent being
compromised again?
A) Determine the root cause of the attack.
B) Review your host-based firewall rules.
C) Restore the host data from backups.
D) Apply patches and harden the system. - Answers -A) Determine the root cause of the
attack.
What is a bucket squatting attack?
A) Scanning for buckets with public access.
B) Exfiltrating data using cloud storage buckets.
C) Uploading and using web shells against buckets with public writable permissions.
D) Registering a bucket that uses an organization name. - Answers -D) Registering a
bucket that uses an organization name.
Which command can be used to find Azure storage instances?
A) bucket_finder.rb words --download
B) gcpbucketbrute.py -u -k names
C) basicblobfinder.py namelist
D) gsutil ls gs://findit - Answers -C) basicblobfinder.py namelist
Basic Blob Finder is a tool used to scan for and identify Azure Blobs. Since Azure Blobs
are identified by an account name and a container name, Basic Blob Finder accepts a
list of strings, optionally separated by a colon. Entries of a single string are used as both
the account name and the container name; entries with a colon delimit the account
name and the container name. Basic Blob Finder will identify publicly accessible Azure
Blobs and enumerate the files in the Blob.
What is the first step attackers take when engaging in a password-cracking attack
against an organization?
A) Access high-value targets.
, B) Crack password hashes for as long as necessary.
C) Dump available password hashes.
D) Exploit a low-value target. - Answers -D) Exploit a low-value target.
Attackers will commonly seek to exploit a system of low-to-medium importance as the
first step in cracking passwords. A system of lower importance is less likely to be
hardened against attacks, less likely to be closely monitored, and may even be
relatively neglected. This makes the system of lower importance an ideal target to
exploit and gain a foothold, dumping all available password hashes, cracking those
hashes, and reusing the recovered passwords to access high-importance targets
Which of the following is a program that can move data across a network using user-
assigned TCP or UDP ports and works on Windows, Mac, and Linux?
A) Nmap
B) Netcat
C) ping
D) SCP - Answers -B) Netcat
Why is performing memory analysis on RAM images a staple of investigations?
A) Valuable information may exist in RAM, which might not be found on disk.
B) Speed - Evidence from a RAM image will match disk content.
C) RAM provides more consistent images than disk.
D) It's easier to look for historical information in RAM than on disk. - Answers -A)
Valuable information may exist in RAM, which might not be found on disk.
An investigator identifies the following POST request. Which log recorded the activity?
1583050850.951 185 192.168.40.123 TCP_MISS/200 1856 POST
https://update.googleapis.com/service/update2? -ORIGINAL_DST/172.219.10.153
text/xml
A) Switch access log
B) Regshot event log
C) Proxy access log
D) Windows event log - Answers -C) Proxy access log
What are two basic approaches commonly employed when investigating malware?
A) Running a penetration test and running a vulnerability scan.
B) Monitoring the environment and examining code.
C) Taking the environment offline and restoring from backups.
D) Performing a risk assessment and confirming a possible exploit type. - Answers -B)
Monitoring the environment and examining code.
