Free GCIH Detecting Covert Communications Practice Test 2026 — GIAC Incident Handler Questions

Q: What does the GCIH Detecting Covert Communications domain cover?

GCIH Detecting Covert Communications covers detecting covert communications — DNS/ICMP tunneling, HTTPS command-and-control channels, domain fronting, steganography, and C2 beaconing patterns. Expect scenario-based questions on DNS Tunneling, ICMP Tunneling, HTTPS C2 Channels, Domain Fronting, Steganography, Beaconing Patterns.

Q: How many Detecting Covert Communications practice questions are on this page?

This free practice set includes 6 GCIH Detecting Covert Communications questions with detailed explanations. Premium members get unlimited access to the full GCIH question bank with 590+ questions across all 14 GIAC domains.

Q: Is this GCIH Detecting Covert Communications practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

This free GCIH Detecting Covert Communications practice test covers detecting covert communications — DNS/ICMP tunneling, HTTPS command-and-control channels, domain fronting, steganography, and C2 beaconing patterns. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Detecting Covert Communications

DNS Tunneling
ICMP Tunneling
HTTPS C2 Channels
Domain Fronting
Steganography
Beaconing Patterns

6 Free GCIH Detecting Covert Communications Practice Questions with Answers

Sample Question 1 — Detecting Covert Communications

You are investigating a suspected covert communication channel on a compromised server. You notice an unusual amount of traffic on port 443, but the traffic pattern does not match typical HTTPS traffic. You suspect the use of a tool like Netcat for tunneling. Which of the following command outputs would confirm that Netcat is being used for covert communications over port 443?

A. The output shows a continuous stream of encrypted data packets with a valid SSL handshake.
B. The output shows a series of SYN and ACK packets with no payload data, indicating a port scan.
C. The output displays repeated 'GET' and 'POST' HTTP requests with malformed headers.
D. The output shows a steady stream of unencrypted data with no SSL handshake, indicating a raw data transfer. (Correct answer)

Correct answer: D

Explanation: Option D is correct because Netcat can be used to transfer raw data over a port without encryption or a formal handshake like SSL, which is typical for HTTPS traffic on port 443. Option A is incorrect because it describes legitimate HTTPS traffic. Option B is incorrect as it indicates a port scan, not data transfer. Option C is incorrect because malformed HTTP requests suggest a different type of attack, such as a web application attack, not covert communication using Netcat.

Sample Question 2 — Detecting Covert Communications

During an incident response, you suspect that an attacker is using covert channels to exfiltrate data from your network. As a first step, which tool and method should you use to detect unusual outbound communications that might indicate covert channels?

A. Use Wireshark to capture and analyze network traffic for unusual DNS queries. (Correct answer)
B. Deploy Nmap to scan for open ports on all network devices.
C. Utilize Exiftool to analyze metadata in suspicious files.
D. Perform a full packet capture of all network traffic for later analysis.

Correct answer: A

Explanation: Option A is correct because Wireshark is a network protocol analyzer that can capture and analyze network traffic in real-time. Unusual DNS queries can be indicative of DNS tunneling, a common method for covert communications. This approach is practical and allows for immediate insights. Option B, while useful for identifying open ports, does not directly address covert communications. Option C focuses on file metadata analysis, which is not relevant to detecting covert network communications. Option D involves a full packet capture, which is comprehensive but not the most efficient first step under time pressure.

Sample Question 3 — Detecting Covert Communications

During a routine network traffic analysis, you suspect that some communications are being hidden using DNS tunneling. What is the most effective initial action to confirm this suspicion?

A. Capture traffic on port 53 and analyze it for unusual patterns. (Correct answer)
B. Deploy a full packet capture on all network interfaces.
C. Use Nmap to scan for open ports on the suspected host.
D. Install Exiftool to analyze file metadata for hidden communications.

Correct answer: A

Explanation: The most effective initial action is to capture and analyze traffic on port 53, which is commonly used for DNS. By looking for unusual patterns, such as large DNS queries or responses or frequent requests to uncommon domains, you can identify potential DNS tunneling. Options B, C, and D are less targeted or relevant for DNS tunneling detection at this stage.

Sample Question 4 — Detecting Covert Communications

An incident handler suspects that a compromised host is using HTTP requests to exfiltrate data covertly. What is the best first step to take in order to detect this activity?

A. Review web server logs for large POST requests or unusual URL patterns. (Correct answer)
B. Perform a full disk forensic analysis on the suspected host.
C. Use Exiftool to check for hidden data in images on the host.
D. Run a vulnerability scan to identify weaknesses in the web server.

Correct answer: A

Explanation: Reviewing web server logs for large POST requests or unusual URL patterns is the best first step. This approach allows you to quickly identify potential data exfiltration activities. Options B, C, and D are more time-consuming or not directly related to detecting HTTP-based covert communications.

Sample Question 5 — Detecting Covert Communications

You are tasked with identifying covert channels in network traffic. Which tool would be the most practical to start with for detecting anomalies in traffic patterns?

A. Wireshark (Correct answer)
B. Exiftool
C. Metasploit
D. Burp Suite

Correct answer: A

Explanation: Wireshark is the most practical tool for analyzing network traffic and detecting anomalies in traffic patterns. It allows for detailed inspection of packets and can help identify unusual traffic that might indicate covert channels. Exiftool is for file metadata analysis, Metasploit is for exploitation, and Burp Suite is primarily for web application security testing.

Sample Question 6 — Detecting Covert Communications

During an incident response, you suspect that a host is using ICMP packets for covert communication. What is the first step you should take to verify this?

A. Analyze ICMP traffic for unusual payload sizes or patterns. (Correct answer)
B. Block all ICMP traffic at the firewall.
C. Conduct a full vulnerability assessment of the host.
D. Use Exiftool to examine file metadata on the host.

Correct answer: A

Explanation: Analyzing ICMP traffic for unusual payload sizes or patterns is the first step to verify covert communication using ICMP. This approach allows you to detect anomalies without disrupting network operations. Blocking all ICMP traffic could cause network issues, and options C and D are not directly related to detecting ICMP-based covert communications.

About the GCIH Exam

Questions: 106 multiple choice
Time: 4 hours
Passing score: 70%
Provider: GIAC (SANS Institute)
Aligned with: SANS SEC504
Total domains: 14

Other GCIH Practice Domains

Start the free GCIH Detecting Covert Communications practice test now | 10-question quick start | All GCIH domains