FlashGenius Logo FlashGenius
Login Sign Up

GCIH Practice Questions: Endpoint Attack and Pivoting Domain

Published: August 12, 2025 | 10 min read

Test your GCIH knowledge with 5 practice questions from the Endpoint Attack and Pivoting domain. Includes detailed explanations and answers.

GCIH Practice Questions

Master the Endpoint Attack and Pivoting Domain

Test your knowledge in the Endpoint Attack and Pivoting domain with these 5 practice questions. Each question is designed to help you prepare for the GCIH certification exam with detailed explanations to reinforce your learning.

Question 1

You are tasked with determining if an endpoint has been used as a pivot point in a recent attack. What is the most effective initial action?

A) Examine the endpoint's network connections for unusual external IP addresses.

B) Conduct a full memory dump analysis to detect any hidden processes.

C) Check the endpoint's DNS query logs for suspicious domain requests.

D) Deploy an advanced persistent threat (APT) detection tool on the endpoint.

Show Answer & Explanation

Correct Answer: A

Explanation: Examining the endpoint's network connections for unusual external IP addresses is the most effective initial action, as it can quickly reveal if the endpoint is communicating with suspicious hosts. Conducting a full memory dump analysis (B) is thorough but time-consuming. Checking DNS query logs (C) is useful but may not directly indicate pivoting activity. Deploying an APT detection tool (D) is not an immediate action and may not provide instant results.

Question 2

Following an endpoint compromise, what is the most effective first step to secure the network and prevent further intrusion?

A) Update all endpoint security signatures.

B) Implement network-wide multi-factor authentication.

C) Conduct a vulnerability assessment on all endpoints.

D) Isolate the compromised endpoint from the network.

Show Answer & Explanation

Correct Answer: D

Explanation: Isolating the compromised endpoint is the most effective first step to prevent further intrusion. Updating security signatures, implementing multi-factor authentication, and conducting vulnerability assessments are important but should be part of a longer-term strategy following immediate containment.

Question 3

An analyst suspects that malware on an endpoint is communicating with a command and control server. Which method should be used first to confirm this suspicion?

A) Check DNS query logs for suspicious domains.

B) Perform a deep packet inspection on all traffic from the endpoint.

C) Conduct a full malware analysis on the endpoint's files.

D) Use a SIEM to correlate endpoint alerts with network traffic alerts.

Show Answer & Explanation

Correct Answer: A

Explanation: Checking DNS query logs for suspicious domains is a quick and effective way to confirm if an endpoint is communicating with a command and control server. Deep packet inspection and full malware analysis are more detailed and time-consuming. Using a SIEM is useful for correlation but may not immediately confirm communication with a C2 server.

Question 4

An endpoint is exhibiting signs of compromise, and you need to determine if it is being used for lateral movement. What is the most effective initial action?

A) Check the endpoint's login history for unusual activity.

B) Deploy a network intrusion detection system (NIDS) to monitor traffic.

C) Run a vulnerability assessment on the endpoint.

D) Examine the endpoint's ARP cache for suspicious entries.

Show Answer & Explanation

Correct Answer: A

Explanation: Checking the endpoint's login history for unusual activity is the most effective initial action to determine if the endpoint is being used for lateral movement. This can quickly reveal unauthorized access attempts. Deploying a NIDS (B) is useful but not an immediate action. Running a vulnerability assessment (C) is important but not the first step. Examining the ARP cache (D) can be useful but is more specific and may not immediately indicate lateral movement.

Question 5

During an investigation, you find evidence of a potential pivot attack. What is the most effective initial action to take?

A) Quarantine all affected systems.

B) Capture volatile memory from the suspected pivot point.

C) Analyze network segmentation to prevent further pivoting.

D) Review recent user activity logs on the affected systems.

Show Answer & Explanation

Correct Answer: A

Explanation: Quarantining affected systems is the most effective initial action to prevent further spread of the attack. Capturing memory and reviewing logs are important steps but should be done after containment. Analyzing network segmentation is a preventative measure and not an immediate response.

Ready to Accelerate Your GCIH Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GCIH domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GCIH Certification

The GCIH certification validates your expertise in endpoint attack and pivoting and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

More GCIH Practice Tests

Want the Full Ultimate GCIH Guide?

Dive deeper into exam details, preparation strategies, career impact, and much more with our comprehensive resource:

Ultimate Guide to GCIH – GIAC Certified Incident Handler Certification (5 min read)