What does the GCIH Endpoint Attack & Pivoting domain cover?

GCIH Endpoint Attack & Pivoting covers endpoint attack and pivoting — lateral movement via RDP/WMI/PsExec, pass-the-hash, pass-the-ticket, Kerberoasting, SMB relay, and pivot tunneling. Expect scenario-based questions on Lateral Movement (RDP/WMI/PsExec), Pass-the-Hash, Pass-the-Ticket, Kerberoasting, SMB Relay, Pivot Tunneling.

How many Endpoint Attack & Pivoting practice questions are on this page?

This free practice set includes 6 GCIH Endpoint Attack & Pivoting questions with detailed explanations. Premium members get unlimited access to the full GCIH question bank with 590+ questions across all 14 GIAC domains.

Is this GCIH Endpoint Attack & Pivoting practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

Free GCIH Endpoint Attack & Pivoting Practice Test 2026 — GIAC Incident Handler Questions

This free GCIH Endpoint Attack & Pivoting practice test covers endpoint attack and pivoting — lateral movement via RDP/WMI/PsExec, pass-the-hash, pass-the-ticket, Kerberoasting, SMB relay, and pivot tunneling. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Endpoint Attack & Pivoting

Lateral Movement (RDP/WMI/PsExec)
Pass-the-Hash
Pass-the-Ticket
Kerberoasting
SMB Relay
Pivot Tunneling

6 Free GCIH Endpoint Attack & Pivoting Practice Questions with Answers

Sample Question 1 — Endpoint Attack and Pivoting

During an incident response, you discover that an attacker has gained access to a workstation within your network and is attempting to move laterally to other systems. Which of the following PowerShell commands could the attacker use to gather information about other computers in the network to facilitate lateral movement?

A. Get-NetIPAddress
B. Get-Process
C. Get-NetNeighbor
D. Get-ADComputer -Filter * (Correct answer)

Correct answer: D

Explanation: The 'Get-ADComputer -Filter *' PowerShell command is used to query Active Directory for a list of computers. This can provide attackers with information about other systems in the network, which is useful for lateral movement. 'Get-NetIPAddress' retrieves IP configuration information for the local machine, 'Get-Process' lists processes on the local machine, and 'Get-NetNeighbor' displays information about neighboring network devices, but does not provide the same level of detail about other computers in the domain as 'Get-ADComputer' does.

Sample Question 2 — Endpoint Attack and Pivoting

During an incident response, an analyst discovers a suspicious process running on an endpoint. What is the most effective initial action to take in order to understand the process's activity?

A. Immediately terminate the process to prevent further damage.
B. Use a tool like Process Explorer to gather detailed information about the process. (Correct answer)
C. Capture network traffic using Wireshark to analyze communication patterns.
D. Run a full antivirus scan on the endpoint.

Correct answer: B

Explanation: The best first step is to use a tool like Process Explorer to gather detailed information about the process, such as its parent process, associated network connections, and loaded modules. This information can help determine if the process is malicious and guide further investigation. Terminating the process immediately (A) could destroy evidence. Capturing network traffic (C) is useful but not the first step. Running a full antivirus scan (D) is time-consuming and may not provide immediate insights.

Sample Question 3 — Endpoint Attack and Pivoting

An incident handler receives an alert about a potential compromise on a workstation. What is the first step the handler should take to triage the situation effectively?

A. Disconnect the workstation from the network to prevent data exfiltration.
B. Check the system's event logs for any unusual activity. (Correct answer)
C. Perform a memory dump to capture the current state of the system.
D. Notify senior management about the potential compromise.

Correct answer: B

Explanation: The first step is to check the system's event logs for any unusual activity (B). This can provide immediate insights into what might have triggered the alert, helping to assess the scope and nature of the compromise. Disconnecting the workstation (A) could be necessary later but may disrupt business operations prematurely. Performing a memory dump (C) is useful for forensic analysis but not the first triage step. Notifying senior management (D) is important but comes after initial triage.

Sample Question 4 — Endpoint Attack and Pivoting

An analyst is investigating a compromised endpoint that shows signs of lateral movement. Which tool would be most effective initially to identify other affected systems in the network?

A. Nmap to scan for open ports and services on the network. (Correct answer)
B. Sysinternals Suite to check for suspicious processes on the endpoint.
C. Wireshark to capture and analyze network traffic.
D. Exiftool to analyze metadata of files on the endpoint.

Correct answer: A

Explanation: Using Nmap (A) to scan for open ports and services is the most effective initial action to identify other potentially affected systems, as it can quickly reveal anomalies or unexpected services running on the network. Sysinternals Suite (B) is more focused on the individual endpoint. Wireshark (C) is useful for detailed traffic analysis but is not the first step for identifying affected systems. Exiftool (D) is used for file metadata analysis and is not relevant to identifying affected systems.

Sample Question 5 — Endpoint Attack and Pivoting

After detecting unusual outbound traffic from an endpoint, what is the first action an incident handler should take to determine if the traffic is malicious?

A. Block the outbound traffic at the firewall immediately.
B. Analyze the traffic patterns using Wireshark.
C. Isolate the endpoint from the network.
D. Check the endpoint's DNS queries and IP addresses contacted. (Correct answer)

Correct answer: D

Explanation: The first action should be to check the endpoint's DNS queries and IP addresses contacted (D). This can quickly reveal connections to known malicious domains or IPs, helping to determine if the traffic is malicious. Blocking traffic (A) might be necessary but should be based on confirmed malicious activity. Analyzing traffic patterns with Wireshark (B) is useful but more detailed and time-consuming. Isolating the endpoint (C) is a containment step that might disrupt operations and should be done after confirming malicious activity.

Sample Question 6 — Endpoint Attack and Pivoting

An incident handler is tasked with identifying potential data exfiltration from an endpoint. Which method should be prioritized first to detect such activity?

A. Review recent file access logs on the endpoint.
B. Monitor outbound network traffic for large data transfers. (Correct answer)
C. Check for new user accounts created on the endpoint.
D. Conduct a full disk forensic analysis on the endpoint.

Correct answer: B

Explanation: Monitoring outbound network traffic for large data transfers (B) should be prioritized first, as it directly indicates potential data exfiltration activity. Reviewing recent file access logs (A) could help identify accessed files but does not confirm exfiltration. Checking for new user accounts (C) is useful for detecting unauthorized access but not specifically exfiltration. Conducting a full disk forensic analysis (D) is comprehensive but time-consuming and not the first step in detecting exfiltration.

About the GCIH Exam

Questions: 106 multiple choice
Time: 4 hours
Passing score: 70%
Provider: GIAC (SANS Institute)
Aligned with: SANS SEC504
Total domains: 14

Other GCIH Practice Domains

Start the free GCIH Endpoint Attack & Pivoting practice test now | 10-question quick start | All GCIH domains