What does the GCIH Post-Exploitation Attacks domain cover?

GCIH Post-Exploitation Attacks covers post-exploitation attacks — privilege escalation, persistence mechanisms, Mimikatz credential dumping, data exfiltration, defense evasion, and C2 maintenance. Expect scenario-based questions on Privilege Escalation, Persistence Mechanisms, Credential Dumping (Mimikatz), Data Exfiltration, Defense Evasion, C2 Maintenance.

How many Post-Exploitation Attacks practice questions are on this page?

This free practice set includes 6 GCIH Post-Exploitation Attacks questions with detailed explanations. Premium members get unlimited access to the full GCIH question bank with 590+ questions across all 14 GIAC domains.

Is this GCIH Post-Exploitation Attacks practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

Free GCIH Post-Exploitation Attacks Practice Test 2026 — GIAC Incident Handler Questions

This free GCIH Post-Exploitation Attacks practice test covers post-exploitation attacks — privilege escalation, persistence mechanisms, Mimikatz credential dumping, data exfiltration, defense evasion, and C2 maintenance. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Post-Exploitation Attacks

Privilege Escalation
Persistence Mechanisms
Credential Dumping (Mimikatz)
Data Exfiltration
Defense Evasion
C2 Maintenance

6 Free GCIH Post-Exploitation Attacks Practice Questions with Answers

Sample Question 1 — Post-Exploitation Attacks

During a post-exploitation phase, an attacker has established persistence on a compromised system using a scheduled task that executes a PowerShell script every hour. As an incident handler, which of the following command-line tools would be most effective to detect this persistence mechanism?

A. tasklist
B. schtasks (Correct answer)
C. netstat
D. ipconfig

Correct answer: B

Explanation: The 'schtasks' command is used to manage scheduled tasks on Windows systems. It can be used to list, create, delete, or modify scheduled tasks. In this scenario, 'schtasks' would allow an incident handler to detect any suspicious scheduled tasks, including those used for persistence by executing a PowerShell script. 'tasklist' is used for viewing running processes, 'netstat' is for network connections, and 'ipconfig' is for network interface configurations.

Sample Question 2 — Post-Exploitation Attacks

An incident response team is investigating suspected data exfiltration from a compromised server. They discover a suspicious process using DNS queries to communicate with an external server. Which tool would best help the team analyze DNS traffic to confirm data exfiltration activity?

A. Wireshark (Correct answer)
B. Nmap
C. Metasploit
D. Volatility

Correct answer: A

Explanation: Wireshark is a powerful network protocol analyzer that can capture and analyze traffic, including DNS queries. It would allow the incident response team to inspect DNS traffic for signs of data exfiltration, such as large volumes of DNS queries with encoded data. Nmap is used for network scanning, Metasploit for exploiting vulnerabilities, and Volatility for memory forensics.

Sample Question 3 — Post-Exploitation Attacks

During a post-exploitation investigation, an incident handler finds evidence of lateral movement within a network. The attacker seems to have used stolen credentials to access multiple systems. What is the first step the incident handler should take to contain the threat?

A. Conduct a full network scan using Nmap to identify all compromised systems.
B. Immediately change the passwords of all affected user accounts.
C. Isolate the compromised systems from the network to prevent further spread. (Correct answer)
D. Use Wireshark to capture live traffic for further analysis.

Correct answer: C

Explanation: The first priority in a post-exploitation scenario, especially with evidence of lateral movement, is to contain the threat to prevent further damage. Isolating the compromised systems from the network (option C) is the most effective initial action to stop the attacker from moving to other systems. Changing passwords (option B) should follow after containment to ensure the attacker cannot re-gain access. Conducting a full network scan (option A) and capturing live traffic (option D) are important for analysis but are not immediate containment actions.

Sample Question 4 — Post-Exploitation Attacks

During a post-exploitation phase, an incident handler discovers that an attacker has established a persistent backdoor on a compromised server. Which of the following is the best first step to take?

A. Immediately shut down the server to prevent further data exfiltration.
B. Isolate the server from the network to prevent further access. (Correct answer)
C. Conduct a full forensic disk image of the server.
D. Analyze the backdoor's code to understand its functionality.

Correct answer: B

Explanation: The best first step is to isolate the server from the network (Option B). This action prevents the attacker from maintaining access or causing further damage while preserving the current state of the system for further analysis. Shutting down the server (Option A) could disrupt business operations and potentially lose volatile evidence. Conducting a full forensic disk image (Option C) is important but should be done after isolation to ensure no further changes occur. Analyzing the backdoor's code (Option D) is valuable for understanding the attack but is not the immediate priority.

Sample Question 5 — Post-Exploitation Attacks

An incident handler is reviewing network traffic logs and notices an unusual amount of outbound traffic from a critical server. What is the most effective initial action to take?

A. Use Wireshark to capture and analyze the live traffic from the server. (Correct answer)
B. Perform a vulnerability scan on the server using Nmap.
C. Check the server's running processes for anomalies.
D. Review the firewall rules to block outbound traffic from the server.

Correct answer: A

Explanation: The most effective initial action is to use Wireshark to capture and analyze live traffic (Option A). This will help identify the nature of the outbound traffic and whether it is malicious. Performing a vulnerability scan (Option B) could be useful later but is not an immediate action to address the current traffic issue. Checking running processes (Option C) is a good step but less immediately informative than observing the traffic itself. Reviewing and changing firewall rules (Option D) could disrupt legitimate traffic and should be done with caution after understanding the situation.

Sample Question 6 — Post-Exploitation Attacks

An analyst discovers that an attacker has used a compromised account to escalate privileges within a network. What should be the first priority in responding to this incident?

A. Reset the password of the compromised account.
B. Revoke the compromised account's access and privileges. (Correct answer)
C. Notify the affected user and IT department about the breach.
D. Conduct a full audit of all privileged accounts.

Correct answer: B

Explanation: The first priority should be to revoke the compromised account's access and privileges (Option B) to prevent further unauthorized actions. Resetting the password (Option A) is important but should follow revocation to ensure the account is not used in the meantime. Notifying the user and IT department (Option C) is necessary but secondary to stopping the attack. Conducting a full audit (Option D) is a good practice but is not an immediate response action.

About the GCIH Exam

Questions: 106 multiple choice
Time: 4 hours
Passing score: 70%
Provider: GIAC (SANS Institute)
Aligned with: SANS SEC504
Total domains: 14

Other GCIH Practice Domains

Start the free GCIH Post-Exploitation Attacks practice test now | 10-question quick start | All GCIH domains