FlashGenius Logo FlashGenius
Login Sign Up

GCIH Practice Questions: Detecting Evasive Techniques Domain

Published: August 12, 2025 | 10 min read

Test your GCIH knowledge with 5 practice questions from the Detecting Evasive Techniques domain. Includes detailed explanations and answers.

GCIH Practice Questions

Master the Detecting Evasive Techniques Domain

Test your knowledge in the Detecting Evasive Techniques domain with these 5 practice questions. Each question is designed to help you prepare for the GCIH certification exam with detailed explanations to reinforce your learning.

Question 1

You are alerted to possible command and control (C2) activity on your network. What is the best initial step to confirm this activity?

A) Isolate the suspected device from the network immediately.

B) Review outbound traffic for connections to known malicious IP addresses.

C) Perform a comprehensive malware scan on the suspected device.

D) Deploy endpoint detection and response (EDR) tools across the network.

Show Answer & Explanation

Correct Answer: B

Explanation: Reviewing outbound traffic for connections to known malicious IP addresses is the best initial step because it provides immediate evidence of potential C2 communication. Isolating the device is a containment measure, while performing a comprehensive malware scan or deploying EDR tools are more resource-intensive and not focused on immediate confirmation of C2 activity.

Question 2

During an incident response, you suspect that an attacker is using DNS tunneling to exfiltrate data. What is the most effective initial action to detect this activity?

A) Conduct a full packet capture of all network traffic.

B) Analyze DNS query logs for unusual patterns or high frequencies.

C) Deploy an intrusion detection system (IDS) to monitor DNS traffic.

D) Perform a deep packet inspection on all DNS traffic.

Show Answer & Explanation

Correct Answer: B

Explanation: Analyzing DNS query logs for unusual patterns or high frequencies is the most effective initial action because it allows for quick detection of anomalies indicative of DNS tunneling, such as high volumes of requests or atypical query types. Conducting a full packet capture or deep packet inspection is more resource-intensive and time-consuming, making them less suitable as first steps. Deploying an IDS is also valid but may not immediately highlight the specific patterns of DNS tunneling.

Question 3

You suspect a user account has been compromised and is being used to access sensitive data. Which immediate action should you take to prevent further unauthorized access?

A) Reset the user's password and require a change at next login.

B) Disable the user account immediately.

C) Monitor the account for further suspicious activity.

D) Inform the user and ask them to log out.

Show Answer & Explanation

Correct Answer: B

Explanation: Disabling the user account immediately prevents any further unauthorized access using that account. Resetting the password could still allow ongoing sessions to continue, and monitoring the account does not prevent further misuse. Informing the user and asking them to log out is not sufficient to stop a compromise.

Question 4

You are investigating a potential insider threat where sensitive data might be exfiltrated via removable media. What is the best initial step to confirm this activity?

A) Review endpoint logs for USB device connections.

B) Conduct a full audit of all removable media used in the organization.

C) Implement DLP solutions to monitor data transfers.

D) Isolate all endpoints from the network temporarily.

Show Answer & Explanation

Correct Answer: A

Explanation: Reviewing endpoint logs for USB device connections is the best initial step, as it provides immediate insights into whether removable media has been connected to systems that handle sensitive data. Conducting a full audit or implementing DLP solutions are valid but more time-consuming measures, while isolating endpoints is a containment action rather than an investigative step.

Question 5

An incident handler is alerted to a potential data exfiltration attempt through HTTP. What is the best first step to confirm and analyze this activity?

A) Review HTTP request and response logs for large data transfers.

B) Initiate a full forensic disk analysis of the suspected host.

C) Isolate the suspected host from the network.

D) Perform a vulnerability scan on the suspected host.

Show Answer & Explanation

Correct Answer: A

Explanation: Reviewing HTTP request and response logs for large data transfers is the best first step, as it provides immediate insights into any unusual or large data flows over HTTP, which is indicative of exfiltration. Isolating the host is a containment step rather than an analysis step. Performing a full forensic disk analysis or a vulnerability scan is more time-consuming and not immediately focused on confirming HTTP-based exfiltration.

Ready to Accelerate Your GCIH Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GCIH domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GCIH Certification

The GCIH certification validates your expertise in detecting evasive techniques and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

More GCIH Practice Tests

Want the Full Ultimate GCIH Guide?

Dive deeper into exam details, preparation strategies, career impact, and much more with our comprehensive resource:

Ultimate Guide to GCIH – GIAC Certified Incident Handler Certification (5 min read)