What does the GCIH Detecting Evasive Techniques domain cover?

GCIH Detecting Evasive Techniques covers detecting evasive techniques — AV/EDR evasion, code obfuscation, fileless malware, LOLBins, process hollowing, and anti-forensics. Expect scenario-based questions on AV / EDR Evasion, Code Obfuscation, Fileless Malware, Living Off the Land Binaries (LOLBins), Process Hollowing, Anti-Forensics.

How many Detecting Evasive Techniques practice questions are on this page?

This free practice set includes 6 GCIH Detecting Evasive Techniques questions with detailed explanations. Premium members get unlimited access to the full GCIH question bank with 590+ questions across all 14 GIAC domains.

Free GCIH Detecting Evasive Techniques Practice Test 2026 — GIAC Incident Handler Questions

Q: Is this GCIH Detecting Evasive Techniques practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

This free GCIH Detecting Evasive Techniques practice test covers detecting evasive techniques — AV/EDR evasion, code obfuscation, fileless malware, LOLBins, process hollowing, and anti-forensics. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Detecting Evasive Techniques

AV / EDR Evasion
Code Obfuscation
Fileless Malware
Living Off the Land Binaries (LOLBins)
Process Hollowing
Anti-Forensics

6 Free GCIH Detecting Evasive Techniques Practice Questions with Answers

Sample Question 1 — Detecting Evasive Techniques

During an incident investigation, you suspect that an attacker has used a rootkit to hide their presence on a compromised server. Which of the following tools would be most effective in detecting a rootkit that manipulates kernel-level processes?

A. Wireshark
B. Volatility (Correct answer)
C. Metasploit
D. Nmap

Correct answer: B

Explanation: Volatility is a memory forensics tool that can be used to analyze memory dumps and detect rootkits that operate at the kernel level by examining the memory structures that these rootkits manipulate. Wireshark is used for network traffic analysis, Metasploit is a penetration testing framework, and Nmap is used for network scanning, none of which are specifically designed for detecting rootkits in memory.

Sample Question 2 — Detecting Evasive Techniques

An attacker has compromised a web server and is using timestomping to alter the timestamps of files to evade detection. Which of the following log analysis techniques would help you identify this suspicious activity?

A. Comparing file creation timestamps with last accessed timestamps (Correct answer)
B. Analyzing network traffic for unusual outbound connections
C. Scanning for unauthorized open ports
D. Reviewing user access logs for failed login attempts

Correct answer: A

Explanation: Timestomping involves altering file timestamps to evade detection. By comparing file creation timestamps with last accessed timestamps, you can identify discrepancies that indicate timestomping. Analyzing network traffic, scanning for open ports, and reviewing user access logs do not specifically address the detection of altered file timestamps.

Sample Question 3 — Detecting Evasive Techniques

During an incident response, you suspect that an attacker is using DNS tunneling to exfiltrate data. As an incident handler, what is the most effective initial action to confirm this suspicion?

A. Use Wireshark to capture and analyze DNS traffic for unusual patterns. (Correct answer)
B. Deploy an Intrusion Detection System (IDS) to monitor all network traffic.
C. Conduct a full forensic analysis of all affected systems.
D. Initiate a complete network scan using Nmap to identify open ports.

Correct answer: A

Explanation: The most effective initial action is to use Wireshark to capture and analyze DNS traffic for unusual patterns (Option A). DNS tunneling often involves unusual DNS request patterns, such as a high frequency of requests or unusually long domain names. Wireshark can quickly help identify these anomalies in DNS traffic, making it a practical first step. Deploying an IDS (Option B) is useful for ongoing monitoring but is not as immediate as using Wireshark for a quick analysis. Conducting a full forensic analysis (Option C) and initiating a complete network scan (Option D) are more time-consuming and not immediately targeted towards confirming DNS tunneling.

Sample Question 4 — Detecting Evasive Techniques

During an incident involving suspected data exfiltration, you notice encrypted traffic on a non-standard port. What is the most effective initial action to take to determine if this traffic is malicious?

A. Use Wireshark to capture and inspect the traffic for known malicious signatures. (Correct answer)
B. Immediately block the port on the firewall to prevent further data exfiltration.
C. Perform a DNS analysis to see if the traffic is related to known malicious domains.
D. Conduct a full packet capture and analyze the payload for anomalies.

Correct answer: A

Explanation: Using Wireshark to capture and inspect the traffic is the most effective initial action because it allows you to quickly identify patterns and signatures that may indicate malicious activity. Blocking the port without understanding the traffic could disrupt legitimate services. DNS analysis and full packet capture are valid steps but may take longer and are not immediately focused on identifying the traffic's nature.

Sample Question 5 — Detecting Evasive Techniques

An alert indicates potential use of steganography to hide data within image files. What is the best first step to confirm the presence of hidden data?

A. Use Exiftool to check the image metadata for anomalies. (Correct answer)
B. Perform a bit-level analysis of the image files.
C. Run a hash comparison against known clean versions of the images.
D. Use a steganalysis tool to scan the images for hidden content.

Correct answer: A

Explanation: Using Exiftool to check the image metadata is a quick and efficient first step to look for anomalies or suspicious information that could indicate steganography. Bit-level analysis and steganalysis tools are more in-depth and time-consuming, while hash comparison requires known clean versions, which may not be available.

Sample Question 6 — Detecting Evasive Techniques

You suspect an attacker is using a rootkit to hide their presence on a compromised server. What is the most effective initial step to detect the rootkit?

A. Run a system integrity check using a tool like Tripwire. (Correct answer)
B. Perform a kernel memory dump and analyze it with forensic tools.
C. Use a live CD to boot the system and scan for rootkits.
D. Check running processes and services for anomalies.

Correct answer: A

Explanation: Running a system integrity check with a tool like Tripwire is the most effective initial step as it can quickly identify unauthorized changes to critical system files, which is a common method rootkits use to hide. A kernel memory dump and live CD boot are more complex and time-consuming, while checking processes may not reveal hidden rootkits.

About the GCIH Exam

Questions: 106 multiple choice
Time: 4 hours
Passing score: 70%
Provider: GIAC (SANS Institute)
Aligned with: SANS SEC504
Total domains: 14

Other GCIH Practice Domains

Start the free GCIH Detecting Evasive Techniques practice test now | 10-question quick start | All GCIH domains