600 You have many software packages available to choose from when preparing for a vulnerability scan. What precautions should be taken when running a basic vulnerability scan regardless of the package used?

601 Which of the following TTL values on an incoming packet allow it to be forwarded to the next router in the path?

602 A company is running a Windows network segment with Windows 8 for its users and wants to do a statistical analysis of the workstations to help detect malwarWhat would be a good way to accomplish this?

604 Analyze the screenshot below. What will the search return?

606 Stacy is the lead of the network services team. She suspects that Keith, one of the network administrators, is not spending as much time working as he states he is. She suspects he is spending time researching the screenplay he is writing about the officShe asks a security analyst to track Keith's web usage to verify what he is doing. What should the security analyst do next?

607 Examine the image below. Based on the log file and directory entry below why was the .bash_history file empty after Eve terminated her session?

608 What advantage does running netstat with the flags `-nao` have over running netstat with the `-na` flags in Windows?

609 If a router received an IPv6 packet with a Hop Limit of 1, which of the following ICMP messages would it send back to the originating host?

610 Which of the following commands can be used to create a backdoor shell on port 1234 on a Linux or Unix system?

613 The following anomalous network flow was observed while running tcpdump on a firewall protecting DMZ web services on the 192.0.2.0/24 network. What conclusion can be drawn?

614 Which of the following is the BEST set of methods one may use to validate a system once operations have been restored during the Recovery phase of Incident Handling?

615 What purpose would an attacker have for including TFTP commands in the payload of a buffer overflow exploit?

616 Which of the following evidence container formats is an open source alternative that can provide metadata along with the image?

617 What task is the Linux administrator performing with the command below? python dpat.py -n ../ntdsbak/customer.ntds -c ../ntdsbak/hashcat.potfile -g ../ntdsbak/*.txt

618 An analyst is reviewing a packet capture from a large sample of mixed protocols. Which of the following tcpdump Berkeley Packet Filter (BPF) filters would reduce the data set to the information below?

619 Which of the following processes should be prioritized for examination during live response?

620 An attacker compromises a host and runs the following commands. What did the attacker do?

621 Which of the following can be used in a USB attack to bypass authentication by hijacking the password libraries on a Windows system?

622 An attacker is launching an attack against an input field in a form that is used to retrieve restricted information that is filtered dependent upon the privileges of the logged in user. This attacker inserts ""' or 1=1;--"" into this fielWhat is most likely the attacker's desired result from this insertion?"

623 An incident handler concluded that a recent breach could have been prevented with a software patch. In their report they recommended the organization perform regular vulnerability scans, document the findings and update software assets.Six months later the incident handler investigates a new breach and concludes the web server was infected due to an outdated version of a Content Management System (CMS). Based on this information, what part of the incident handling process does the organization need to improve?

624 An investigator is auditing a UNIX system and finds the following entry in the wtmp filWhat does the entry indicate? test2 pts/1 202.69.197.99 Fri Apr 01 16:45

625 An organization has an SSH server that was compromised, but later eradicated and recovereThe system disks were wiped clean, the OS reinstalled, and patches re-applieAfter this valid, user-account on that system. process is complete, a security analyst noticed multiple simultaneous SSH logins from a single,Which of the following is the most likely explanation?

626 Which Microsoft tool can be used to mitigate the risk of an adversary reusing a stolen local administrator password hash?

627 Which endpoint security bypass technique modifies the assembly of an executable?

628 When copying a file that includes alternate data streams, what happens to the streams during the copying process?

629 An attacker has determined a web application is running the SQL command shown below. What could she enter for VALUE to get a list of all email addresses in the employee table and avoid syntax errors? select email from employee where name = `˜[VALUE]';

630 An engineer is using Hashcat to brute force passwords from a file of hashes. How should the following hash be handled in the scenario? aad3b435b51404eeaad3b435b51404ee

631 During which phase of incident response would an analyst review the data below?

632 Which of the following `net` commands will show the file shares available on a Windows system?

633 How could an attacker set up a persistent backdoor listener to a login shell on TCP port 53 using netcat on a Linux system?

634 As indicated in the following image, an analyst runs the dir and more commands. What can the analyst conclude about Judges.txt?

635 What is the danger of downloading an .XLSM file from a website that is considered trustworthy by the user?

636 Which tool can be used to exfiltrate data from a system that can only reach the remote host using ICMP?

637 Which line in the following Ducky script is sent to approve the Windows UAC warning?

638 Which file type can be used to execute code in Excel without issuing a warning about opening a macro-supporting file type?

639 A security examiner has been given permission by senior management to conduct a password audit. What should she make sure of after the process?

640 What version of Windows natively supports SMB encryption?

641 Which of the following netcat commands will connect to tcp port 2222 on a remote system (10.0.0.1)?

642 Jill ran the following command below against a DNS server.But the command did not work. What other command can Jill use to accomplish the same task?

643 Which of the following commands will identify hidden file streams within the C:\Documents folder?

644 Which of the following is a technique that can be used to reduce the amount of data to examine during an investigation?

645 An organization has enabled local account token filtering in the registry for workstations. What additional step do they need to take in order to defend against pass-the-hash attacks?

646 What would an incident handler use the contents of the following registry key to determine? HKLM\Software\Microsoft\Windows\CurrentVersion\Run

647 When doing a web search, which of the following Google commands can be used to find all sites that link to a given target?

648 Observe the following command; what is the analyst doing?

649 What happened in the following screenshot?

650 When would a web-based reconnaissance tool be preferred over a direct/local reconnaissance tool?

651 Which of the following network applications is better suited for using a connection-oriented protocol than a stateless protocol?

652 Why is a nmap ACK scan useful for network mapping?

653 An incident handler sees the following lines in the shell history of a user on a machine: mknod test p nc -l -p 11111 0<test | nc 10.1.1.10 54321 1>test What did this user implement?

654 An attacker has penetrated a network and is using lateral movement. Which defense will be effective?

655 Nathan is examining the security event log on a file server that contains sensitive datHe finds a number of Event ID 1234s with substatus code 0xC000006A. There are 4 or less failures against any individual account. Which type of password attack is indicated by these events?

656 What is the result of unloading a process' forward and backwards links in memory?

657 Which of the following statements describes the data below from volatility's pstree plugin?

658 Which of the following Metasploit tools will generate a payload that can be introduced to a Windows system as shown in the image?

659 What is the goal of the command sequence shown below? >nslookup >server [authoritative_server_IP_or_name] >set type=any >ls -d [target_domain]

660 What can be used to link UNIX authentication with other mechanisms?

661 Which UNIX log file contains information about currently logged in users?

662 Which of the following actions can prevent the successful use of Metasploit against a Windows host?

663 Analyze the data shown below. Where does this data originate from?

664 Which volatility plugin shows the command line path for a recently launched application?

665 Which of the following commands will enumerate a list of shares on a Windows target machine?

666 What is the definition of an event as it applies to incident handling?

667 Which of the following is a normal finding that an incident handler would expect to see while reviewing the squid proxy logs for a small business with a single office?

668 What hash type is being cracked in the command below? hashcat -m 1000 -a 0 customer.ntds wordlist.txt --potfile-path ./hashcat.potfile

669 Which of the following occurs when a penetration tester attempts to connect to a host with the following command? net use \\192.168.44.213

670 A security auditor is using John the Ripper to review password strength on Windows machines. The auditor knows that the company requires a 15- character minimum in their passwords. In this scenario, what format parameter must be passed to John (with Jumbo Patch) to crack the passwords?

671 Which of the following would be exposed to an attacker as a result of a remote employee attempting to connect to company resources without a VPN?

672 Which of the following is the most effective technique for identifying live client systems on a LAN?

673 Where would an incident handler search for autostart extensibility points (ASEPs) on a Windows host?

674 How can an adversary use a hash that was stolen from a Windows account to compromise a Linux server?

675 What is the outcome of the command below? hashcat -m 3000 -a 3 ntds.dat --potfile-path ntds.potfile -1 ?u?d?s --increment ?1?1?1?1?1?1

676 Which file would an attacker need to read in order to crack passwords on a modern Linux system?

677 Which of the following squid proxy log fields is easiest for an attacker to spoof?

678 What do drive-by attacks typically take advantage of when delivering exploits?

679 A responder runs the two commands below looking for the number of lines that contain the word powershell. Which of the following is a reason why the output is different between the two plugins?

680 Alice is checking for unusual activity on the LAN that she administers. Based on the CAM table excerpt below, what port should be investigated further?

681 An attacker has tricked a user into executing content he placed on a social networking sitThe malicious content executes in the victim's browser and allows the attacker to determine if machines behind the user's firewall are up and running. What type of attack is this?

682 Following the recent acquisition of a new business, your manager asks you to investigate their DNS service and report back on its status. He is concerned as they only have one DNS server in the organization and it is visible on the Internet. What actions and recommendations should be taken as a first step? traffic at the firewall.

683 A system administrator finds the entry below in an Apache log. What can be done to mitigate against this? 192.168.116.201 - - [22/Apr/2016:13:43:26 -0400] `GET http://www.giac.org%2Farticles.php%3Fid%3D3+and+%28select+1+from +mysql.user+limit+0%2C1%29%3D1 HTTP/1.1` 200 453 `-` `Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0`

684 Which of the following user accounts is the default Administrator account?

685 What request methods are exploited in a Lanturtle + Responder access attack?

686 In addition to special characters, certain keywords in log files may indicate a SQL injection attack. Which words could indicate a SQL injection attack?

687 What is the Linux administrator doing with the commands below? $ rpcclient -U fezzik florin rpcclient $> lsaenumsid

688 How can a system be configured to ignore gratuitous ARPs for specific IP addresses?

689 What built-in Windows tool can be used to collect Active Directory database data and the SYSTEM registry hive for off-line password cracking?

690 Examine the image below. What share would a user typically connect to when they execute the NET USE command below? C:\> net use \\10.0.10.123 -

691 When probing for command injection opportunities on a remote host, why would an attacker target her own address space from the remote host?

692 An administrator needs to protect his organization's IIS webservers from Cross-Site Scripting attacks. Which action should he take?

693 What information is commonly found in both the header and the possession log of a Chain of Custody?

694 Which of the following Metasploit module types would contain privilege escalation capabilities?

695 Which of the following describes a suspicious event in the service data below? root@kali:~/volatility# ./vol.py -f ../mem/Desk005.vmem svcscan

696 Which file contains information about failed login attempts on a Unix system?

697 What is one of the simplest AND most common ways for an attacker to camouflage files on a UNIX system?

698 Which of the following packets saved in the file pingout.pcap would be returned with the following Berkley Packet Filters? tcpdump -nn -r pingout.pcap `˜icmp and (dst host 8.8.8.8)'

699 What is the goal of an attacker who has entered the commands shown in the screenshot?