What does the GCIH Drive-By Attacks domain cover?

GCIH Drive-By Attacks covers drive-by attacks — malicious websites, browser exploits, watering hole attacks, malvertising, drive-by downloads, and exploit kits. Expect scenario-based questions on Malicious Websites, Browser Exploits, Watering Hole Attacks, Malvertising, Drive-By Downloads, Exploit Kits.

How many Drive-By Attacks practice questions are on this page?

This free practice set includes 6 GCIH Drive-By Attacks questions with detailed explanations. Premium members get unlimited access to the full GCIH question bank with 590+ questions across all 14 GIAC domains.

Is this GCIH Drive-By Attacks practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

Free GCIH Drive-By Attacks Practice Test 2026 — GIAC Incident Handler Questions

This free GCIH Drive-By Attacks practice test covers drive-by attacks — malicious websites, browser exploits, watering hole attacks, malvertising, drive-by downloads, and exploit kits. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Drive-By Attacks

Malicious Websites
Browser Exploits
Watering Hole Attacks
Malvertising
Drive-By Downloads
Exploit Kits

6 Free GCIH Drive-By Attacks Practice Questions with Answers

Sample Question 1 — Drive-By Attacks

During an incident response investigation, you discover that several users within your organization were compromised through a drive-by attack. The attack leveraged a known vulnerability in a popular web browser, which was exploited using an exploit kit. What is the most effective immediate action to prevent further exploitation of this vulnerability?

A. Instruct users to avoid using the affected browser until a patch is released.
B. Deploy a firewall rule to block traffic to the exploit kit's known IP addresses.
C. Apply the latest security patches to all instances of the affected web browser across the organization. (Correct answer)
D. Implement network segmentation to isolate compromised systems.

Correct answer: C

Explanation: Applying the latest security patches to the affected web browser is the most effective immediate action to prevent further exploitation. This directly addresses the root cause by fixing the vulnerability that the exploit kit targets. While instructing users to avoid the browser (A) or blocking known IPs (B) can help, they are not comprehensive solutions. Network segmentation (D) is useful for containment but does not address the vulnerability itself.

Sample Question 2 — Drive-By Attacks

You are analyzing network traffic logs as part of an investigation into a suspected drive-by attack. You notice unusual outbound traffic to a suspicious domain shortly after users visited a compromised website. Which tool and method would you use to further analyze this traffic and confirm if it is related to a drive-by attack?

A. Use Metasploit to simulate the attack and identify the payload.
B. Deploy Wireshark to capture and analyze the network packets for signs of malicious payload delivery. (Correct answer)
C. Utilize Netcat to establish a connection to the suspicious domain for further investigation.
D. Run a vulnerability scan using Nmap to identify open ports on the suspicious domain.

Correct answer: B

Explanation: Wireshark is the appropriate tool for capturing and analyzing network packets to detect signs of malicious payload delivery associated with a drive-by attack. It allows you to inspect the traffic in detail and confirm if the outbound traffic is related to the attack. Metasploit (A) is not used for traffic analysis. Netcat (C) could be used for testing connectivity but not for detailed analysis. Nmap (D) is used for scanning and mapping, not for analyzing traffic.

Sample Question 3 — Drive-By Attacks

An organization suspects a drive-by download attack after users report unusual browser behavior. What is the most effective initial action an incident handler should take to confirm the attack?

A. Run a full antivirus scan on affected systems.
B. Check web server logs for unusual activity.
C. Capture network traffic using Wireshark for analysis.
D. Inspect browser history and cache for suspicious URLs. (Correct answer)

Correct answer: D

Explanation: Inspecting the browser history and cache for suspicious URLs is the most effective initial action because it directly targets the user's interaction with potentially malicious sites. This step can quickly confirm if users have visited known malicious URLs associated with drive-by attacks. While capturing network traffic with Wireshark (option C) is useful, it is more time-consuming and complex compared to directly checking browser history. Running a full antivirus scan (option A) is important but may not immediately reveal the source of the attack. Checking web server logs (option B) is more relevant for server-side attacks rather than client-side drive-by downloads.

Sample Question 4 — Drive-By Attacks

During a drive-by attack investigation, an incident handler needs to determine if a malicious script was executed. Which tool should they use first to analyze the script's behavior?

A. Nmap
B. Wireshark
C. JavaScript deobfuscator (Correct answer)
D. Exiftool

Correct answer: C

Explanation: A JavaScript deobfuscator is the best tool for analyzing malicious scripts, especially those that are obfuscated, which is common in drive-by attacks. This tool can help the incident handler understand the script's behavior and intentions. Wireshark (option B) is used for network traffic analysis and would not directly analyze scripts. Nmap (option A) is a network scanning tool and is not suitable for script analysis. Exiftool (option D) is used for metadata analysis and is irrelevant in this context.

Sample Question 5 — Drive-By Attacks

After identifying a suspicious URL linked to a drive-by attack, what is the first step an incident handler should take to protect the network?

A. Block the URL at the firewall. (Correct answer)
B. Update all antivirus signatures.
C. Perform a full network scan using Nmap.
D. Alert all users to avoid the URL.

Correct answer: A

Explanation: Blocking the URL at the firewall is the immediate action that helps prevent further access to the malicious site, thus protecting the network from additional infections. Updating antivirus signatures (option B) is important but does not immediately stop access to the site. Performing a full network scan using Nmap (option C) is not a direct protective measure against accessing a malicious URL. Alerting users (option D) is also important but not as immediate or effective as blocking the URL.

Sample Question 6 — Drive-By Attacks

Which of the following is the best initial step in the triage process when responding to a drive-by attack?

A. Identify all potentially affected systems. (Correct answer)
B. Conduct a forensic analysis of the affected systems.
C. Isolate the affected systems from the network.
D. Notify law enforcement authorities.

Correct answer: A

Explanation: Identifying all potentially affected systems is the best initial step in the triage process. This allows the incident handler to scope the extent of the attack and prioritize response efforts. Isolating affected systems (option C) is important but should follow identification to ensure all affected systems are addressed. Conducting a forensic analysis (option B) is necessary but typically occurs after initial triage. Notifying law enforcement (option D) may be required later, depending on the severity and legal obligations, but is not an immediate triage step.

About the GCIH Exam

Questions: 106 multiple choice
Time: 4 hours
Passing score: 70%
Provider: GIAC (SANS Institute)
Aligned with: SANS SEC504
Total domains: 14

Other GCIH Practice Domains

Start the free GCIH Drive-By Attacks practice test now | 10-question quick start | All GCIH domains