Hacker Tools Techniques Exploits and Incident Handling

Here you have the best SANS SEC504 practice exam questions

You have 322 total questions to study from
Each page has 5 questions, making a total of 65 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on November 13, 2025
This site is not affiliated with or endorsed by SANS.

Question 1 of 322

Which of the following Incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an enterprise?

Preparation phase

Eradication phase

Identification phase

Recovery phase

Containment phase

Correct Answer: A

Question 2 of 322

The Klez worm is a mass-mailing worm that exploits a vulnerability to open an executable attachment even in Microsoft Outlook's preview pane. The Klez worm gathers email addresses from the entries of the default Windows Address Book (WAB). Which of the following registry values can be used to identify this worm?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name = "file and pathname of the WAB file"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Correct Answer: B

Question 3 of 322

You work as a Network Administrator for Net Perfect Inc. The company has a Windows-based network. The company wants to fix potential vulnerabilities existing on the tested systems. You use Nessus as a vulnerability scanning program to fix the vulnerabilities. Which of the following vulnerabilities can be fixed using
Nessus?
Each correct answer represents a complete solution. Choose all that apply.

Misconfiguration (e.g. open mail relay, missing patches, etc.)

Vulnerabilities that allow a remote cracker to control sensitive data on a system

Vulnerabilities that allow a remote cracker to access sensitive data on a system

Vulnerabilities that help in Code injection attacks

Correct Answer: A, B, C

Question 4 of 322

Adam works as a Security Analyst for Umbrella Inc. Company has a Windows-based network. All computers run on Windows XP. Manager of the Sales department complains Adam about the unusual behavior of his computer. He told Adam that some pornographic contents are suddenly appeared on his computer overnight. Adam suspects that some malicious software or Trojans have been installed on the computer. He runs some diagnostics programs and Port scanners and found that the Port 12345, 12346, and 20034 are open. Adam also noticed some tampering with the Windows registry, which causes one application to run every time when Windows start. Which of the following is the most likely reason behind this issue?

Cheops-ng is installed on the computer.

Elsave is installed on the computer.

NetBus is installed on the computer.

NetStumbler is installed on the computer.

Correct Answer: C

Question 5 of 322

Adam, a malicious hacker is running a scan. Statistics of the scan is as follows:
Scan directed at open port: ClientServer
192.5.2.92:4079 ---------FIN--------->192.5.2.110:23192.5.2.92:4079
<----NO RESPONSE------192.5.2.110:23
Scan directed at closed port:

Client Server -
192.5.2.92:4079 ---------FIN--------->192.5.2.110:23
192.5.2.92:4079<-----RST/ACK----------192.5.2.110:23
Which of the following types of port scan is Adam running?

ACK scan

FIN scan

XMAS scan

Idle scan

Correct Answer: B