CrowdStrike CCFH-202 CrowdStrike Certified Falcon Hunter Exam Practice Test

Answer : B

The Linux Sensor report is where an analyst would find information about shells spawned by root, Kernel Module loads, and wget/curl usage. The Linux Sensor report is a pre-defined report that provides a summary view of selected activities on Linux hosts. It shows information such as process execution events, network connection events, file write events, etc. that occurred on Linux hosts within a specified time range. The Sensor Health report, the Sensor Policy Daily report, and the Mac Sensor report do not provide the same information.

Answer : B

Hunt reports are pre-defined reports that offer information surrounding activities that typically indicate suspicious activity occurring on a system. They are based on common threat hunting use cases and queries, and they provide visualizations and summaries of the results. Hunt reports can help threat hunters quickly identify and investigate potential threats in their environment.

Answer : C

This process tree indicates a phishing attack, as it shows a user opening an email attachment (outlook.exe) that launches a malicious macro (cmd.exe) that downloads and executes a payload (powershell.exe) that connects to a remote server (svchost.exe). A phishing attack is a type of social engineering attack that uses deceptive emails or messages to trick users into opening malicious attachments or links that can compromise their systems or credentials.

Answer : A

This is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers. The stats command is used to calculate summary statistics on the results of a search or subsearch, such as count, sum, average, etc. The count by option is used to count the number of events for each distinct value of a field or fields and display them in a table. This can help find rare or common values that could indicate anomalies or deviations from normal behavior.

Answer : B

This option is the correct one to complete the following EAM query:

event_simpleName=ProcessRollup2 FileName=$Recycle Bin

This query would search for any process execution that used a file stored in the Recycle Bin on a Windows host, as the asterisk (*) is a wildcard character that matches any number of characters before or after the specified string. The other options are not correct, as they use different wildcard characters that do not match the desired pattern.

Answer : A

The OR operator is needed to complete the following query, as it allows to search for events that match any of the specified values. The query would look like this:

event_simpleName=ProcessRollup2 FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe

The OR operator is used to combine multiple search terms or expressions and return events that match at least one of them. The IN, NOT, and AND operators are not suitable for this query, as they have different functions and meanings.

Answer : B

Stacking (Frequency Analysis) is a recommended technique to find unique outliers among a set of data in the Falcon Event Search. As explained above, stacking involves grouping events by a common attribute and counting their frequency, then sorting them by ascending or descending order to identify rare or common events. This can help find anomalies or deviations from normal behavior that could indicate malicious activity. Hunt-and-Peck Search Methodology, Time-based Searching, and Machine Learning are not specific techniques to find unique outliers among a set of data.