GCIH
Coming Soon
Expected availability announced soon
This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.
GCIH
The GCIH course teaches incident handlers to detect, analyze, and respond to modern cyber threats, covering the incident handling process, reconnaissance, exploitation, password, and network/web attacks.
240
Minutes
106
Questions
70/100
Passing Score
$979
Exam Cost
Who Should Take This
Security analysts, SOC engineers, and junior incident responders with two to four years of hands‑on experience benefit most. They seek to validate their ability to apply the incident handling lifecycle, recognize reconnaissance and exploitation patterns, and execute effective containment and remediation. The certification demonstrates mastery of intermediate‑level threat detection and response.
What's Covered
1
Domain 1: Incident Handling Process
2
Domain 2: Reconnaissance and Scanning
3
Domain 3: Exploitation and Attack Techniques
4
Domain 4: Password Attacks
5
Domain 5: Network and Web Application Attacks
6
Domain 6: Post-Exploitation and Lateral Movement
7
Domain 7: Incident Response and Recovery
What's Included in AccelaStudy® AI
Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats
Course Outline
60 learning goals
1
Domain 1: Incident Handling Process
2 topics
Incident Handling Methodology
- Describe the six-step SANS incident handling process including preparation, identification, containment, eradication, recovery, and lessons learned and identify key activities in each phase.
- Apply incident identification techniques using network monitoring, log analysis, and endpoint detection tools to determine whether an event constitutes a security incident.
- Describe incident severity classification schemes and apply triage criteria to prioritize incidents based on impact scope, data sensitivity, and business criticality.
Preparation and Communication
- Describe the components of an incident response plan including roles and responsibilities, communication procedures, escalation paths, and external notification requirements.
- Apply incident communication procedures including internal notification chains, external stakeholder updates, legal counsel engagement, and regulatory reporting obligations.
- Describe incident response team composition including handler, lead, communications officer, and technical specialist roles and their coordination during active incidents.
2
Domain 2: Reconnaissance and Scanning
3 topics
Passive and Active Reconnaissance
- Describe passive reconnaissance techniques including OSINT gathering, DNS enumeration, WHOIS lookups, certificate transparency log analysis, and social media profiling.
- Apply active scanning techniques using Nmap including host discovery, port scanning, service version detection, OS fingerprinting, and NSE script execution.
- Analyze scan results to identify exposed services, vulnerable software versions, and misconfigured hosts that represent attack surfaces for exploitation.
Vulnerability Discovery
- Apply vulnerability scanning using tools such as Nessus or OpenVAS to identify known vulnerabilities, misconfigurations, and missing patches across network hosts.
- Describe web application reconnaissance techniques including directory brute forcing, spider crawling, technology fingerprinting, and hidden parameter discovery.
- Evaluate vulnerability scan output to differentiate between true vulnerabilities and false positives and prioritize findings using CVSS scores and environmental context.
Detecting Reconnaissance Activity
- Identify indicators of reconnaissance including port scan patterns, DNS zone transfer attempts, SNMP community string brute forcing, and LDAP enumeration queries.
- Analyze network logs and IDS alerts to detect and characterize reconnaissance activity and determine the likely objectives of the scanning entity.
3
Domain 3: Exploitation and Attack Techniques
3 topics
System Exploitation
- Describe common exploitation techniques including buffer overflows, use-after-free vulnerabilities, format string attacks, and return-oriented programming at a conceptual level.
- Apply exploitation frameworks such as Metasploit to select appropriate exploits, configure payloads, and execute controlled exploitation against vulnerable targets.
- Describe exploit mitigation techniques including ASLR, DEP, stack canaries, and Control Flow Guard and identify how each defense mechanism reduces exploitation success.
- Analyze exploit artifacts including shellcode, staged payloads, and Meterpreter sessions to determine the capabilities granted to an attacker post-exploitation.
Privilege Escalation
- Describe Windows privilege escalation techniques including token impersonation, unquoted service paths, DLL hijacking, and UAC bypass methods.
- Describe Linux privilege escalation techniques including SUID binary exploitation, sudo misconfigurations, kernel exploits, and cron job manipulation.
- Analyze a compromised system to identify the privilege escalation method used by examining process trees, modified files, and audit trail entries.
Malware and Persistence
- Identify common persistence mechanisms including registry run keys, scheduled tasks, startup folders, WMI event subscriptions, and Linux cron jobs used by attackers.
- Describe command and control communication methods including HTTP/HTTPS beaconing, DNS tunneling, domain fronting, and encrypted C2 channels.
- Analyze network traffic and endpoint telemetry to identify C2 beaconing patterns including periodic callbacks, jitter, and data exfiltration over covert channels.
4
Domain 4: Password Attacks
2 topics
Password Cracking and Credential Attacks
- Describe password cracking methodologies including brute force, dictionary attacks, hybrid attacks, and rule-based mutations using tools such as John the Ripper and Hashcat.
- Apply password hash extraction techniques from Windows SAM databases, NTDS.dit files, Linux shadow files, and application configuration stores.
- Describe credential replay attacks including pass-the-hash, pass-the-ticket, and overpass-the-hash and identify the Active Directory authentication weaknesses they exploit.
- Analyze authentication logs to detect credential-based attack indicators including password spraying patterns, Kerberoasting ticket requests, and AS-REP roasting activity.
Credential Defense
- Apply password policy hardening including minimum length enforcement, breach dictionary checks, MFA requirements, and account lockout configurations to resist credential attacks.
- Describe credential protection mechanisms including Windows Credential Guard, LSASS protection, Kerberos armoring, and privileged access workstations.
- Evaluate an organization's credential security posture to identify weaknesses in password policies, privileged account management, and authentication infrastructure.
5
Domain 5: Network and Web Application Attacks
3 topics
Network-Level Attacks
- Describe network-level attack techniques including ARP spoofing, VLAN hopping, BGP hijacking, and man-in-the-middle attacks using tools such as Ettercap and Bettercap.
- Apply denial of service detection and mitigation techniques including SYN flood identification, amplification attack analysis, and rate limiting configurations.
- Analyze network packet captures to identify active man-in-the-middle attacks including ARP cache poisoning evidence, SSL stripping indicators, and unauthorized DHCP responses.
Web Application Attacks
- Describe SQL injection attack types including union-based, blind, error-based, and time-based techniques and identify the database interaction patterns each exploits.
- Apply cross-site scripting attack identification including reflected, stored, and DOM-based XSS and describe input validation and output encoding countermeasures.
- Describe server-side request forgery and command injection attacks and identify how input validation failures allow attackers to access internal resources or execute system commands.
- Analyze web server logs and WAF alerts to identify exploitation attempts including SQL injection probes, XSS payloads, directory traversal, and parameter tampering.
DNS and Email Attacks
- Describe DNS-based attacks including cache poisoning, DNS rebinding, typosquatting, and domain hijacking and identify defensive measures including DNSSEC and DNS monitoring.
- Apply email attack analysis techniques to identify phishing campaigns including header analysis, URL deobfuscation, attachment sandboxing, and SPF/DKIM/DMARC validation.
- Analyze DNS query logs to identify data exfiltration via DNS tunneling, fast flux domain usage, and domain generation algorithm activity patterns.
6
Domain 6: Post-Exploitation and Lateral Movement
3 topics
Lateral Movement Techniques
- Describe lateral movement techniques including PsExec, WMI remote execution, PowerShell remoting, RDP pivoting, and SSH tunneling used by attackers after initial compromise.
- Apply lateral movement detection techniques using Windows event log analysis, network traffic monitoring, and endpoint telemetry to identify unauthorized host-to-host access.
- Analyze authentication and process creation events to reconstruct lateral movement paths and determine the scope of an attacker's access across compromised systems.
Data Exfiltration and Impact
- Describe data exfiltration methods including encrypted file transfers, steganography, cloud storage abuse, and protocol tunneling and identify indicators of data staging.
- Apply data loss detection techniques using network monitoring, DLP alerts, and anomalous data transfer analysis to identify potential exfiltration activity.
- Describe ransomware attack lifecycle stages including initial access, lateral spread, shadow copy deletion, encryption execution, and ransom note delivery.
- Evaluate the scope and impact of a data breach by analyzing exfiltration artifacts, compromised credential counts, and affected system inventories.
Active Directory Attacks
- Describe Active Directory attack techniques including DCSync, golden ticket creation, silver ticket forging, skeleton key injection, and AdminSDHolder abuse.
- Apply Active Directory security monitoring using event log analysis to detect DCSync replication requests, suspicious Kerberos ticket activity, and unauthorized group membership changes.
- Analyze Active Directory compromise artifacts to determine the attacker's privilege level, persistence mechanisms, and the extent of domain controller compromise.
7
Domain 7: Incident Response and Recovery
3 topics
Containment and Eradication
- Apply containment strategies including network isolation, account disabling, firewall rule implementation, and DNS sinkholing to limit attacker access during an active incident.
- Describe eradication procedures including malware removal, persistence mechanism cleanup, compromised credential rotation, and system rebuilding from known-good images.
- Evaluate containment effectiveness by monitoring for continued attacker activity including new C2 communications, additional compromised hosts, and persistence re-establishment.
Recovery and Lessons Learned
- Describe recovery procedures including phased system restoration, enhanced monitoring during recovery, validation testing, and gradual return to normal operations.
- Apply lessons learned methodology to document incident findings, identify control gaps, recommend improvements, and update incident response plans and detection rules.
- Assess the overall incident response effectiveness by evaluating detection time, containment time, scope accuracy, and communication quality against established benchmarks.
Indicator of Compromise Management
- Describe indicator of compromise types including IP addresses, domain names, file hashes, registry keys, and behavioral patterns and classify them using the Pyramid of Pain framework.
- Apply IOC extraction techniques from incident artifacts including malware samples, network captures, and system logs to build detection signatures and blocklists.
- Evaluate IOC quality and relevance by assessing specificity, false positive potential, temporal validity, and correlation with known threat actor TTPs.
Scope
Included Topics
- All domains in the GIAC Certified Incident Handler (GCIH) certification aligned to SANS SEC504: Incident Handling Process, Reconnaissance and Scanning, Exploitation and Attack Techniques, Password Attacks, Network and Web Application Attacks, Post-Exploitation and Lateral Movement, and Incident Response and Recovery.
- Hands-on incident handling knowledge including the six-step incident handling process, live system analysis, network reconnaissance using Nmap and Masscan, exploitation frameworks including Metasploit, privilege escalation techniques on Windows and Linux, lateral movement using PsExec and WMI, and post-exploitation persistence mechanisms.
- Attack technique analysis including buffer overflows, command injection, SQL injection, cross-site scripting, cross-site request forgery, server-side request forgery, deserialization attacks, and credential-based attacks such as pass-the-hash, Kerberoasting, and AS-REP roasting.
- Incident response operations including evidence collection, timeline reconstruction, indicator of compromise extraction, containment strategies, eradication procedures, and lessons learned documentation aligned with NIST SP 800-61 and SANS incident handling methodology.
Not Covered
- Advanced malware reverse engineering, binary analysis, and custom exploit development beyond the scope of SEC504.
- Full-scale digital forensics investigations including disk imaging, file carving, and registry analysis at the forensic examiner level.
- Advanced threat intelligence platform operations, STIX/TAXII integration, and automated threat feed management.
- Red team infrastructure design, C2 framework customization, and advanced evasion technique development.
- Cloud-native incident response for serverless and container environments at the specialist level.
Official Exam Page
Learn more at GIAC Certifications
GCIH is coming soon
Adaptive learning that maps your knowledge and closes your gaps.
Create Free Account to Be Notified