CrowdStrike CCFR-201 Exam Practice Test Instant Access

Question 1

When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence. Which answer best defines Local Prevalence?

ALocal prevalence is the frequency with which the hash of the triggering file is seen across the entire Internet

BLocal Prevalence tells you how common the hash of the triggering file is within your environment (CID)

CLocal Prevalence is the Virus Total score for the hash of the triggering file

DLocal prevalence is the frequency with which the hash of the triggering file is seen across all CrowdStrike customer environments

Answer : B

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Global Prevalence and Local Prevalence are two fields that provide information about how common or rare a file is based on its hash value2.Global Prevalence tells you how frequently the hash of the triggering file is seen across all CrowdStrike customer environments2.Local Prevalence tells you how frequently the hash of the triggering file is seen within your environment (CID)2.These fields can help you assess the risk and impact of a detection2.

Question 2

Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?

AYou can't export detailed event data from a detection, you have to use the Process Timeline or an Event Search

BIn Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the 'Export Process Events' button

CIn Full Detection Details, you choose the 'View Process Activity' option and then export from that view

DFrom the Detections Dashboard, you right-click the event type you wish to export and choose CSV. JSON or XML

Answer : C

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:

You can use the Process Timeline tool and click on ''Export CSV'' button at the top right corner1.

You can use the Event Search tool and select one or more events and click on ''Export CSV'' button at the top right corner1.

You can use the Full Detection Details tool and choose the ''View Process Activity'' option from any process node in the process tree view1.This will show you all events generated by that process in a rows-and-columns style view1.You can then click on ''Export CSV'' button at the top right corner1.

Question 3

Which statement is TRUE regarding the "Bulk Domains" search?

AIt will show a list of computers and process that performed a lookup of any of the domains in your search

BThe 'Bulk Domains' search will allow you to blocklist your queried domains

CThe 'Bulk Domains' search will show IP address and port information for any associated connections D. You should only pivot to the 'Bulk Domains' search tool after completing an investigation

Answer : A

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains2.The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that performed a lookup of any of the domains in your search2.This can help you identify potential threats or vulnerabilities in your network2.

Question 4

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

AParentProcessld_decimal and aid

BResponsibleProcessld_decimal and aid

CContextProcessld_decimal and aid

DTargetProcessld_decimal and aid

Answer : D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)2.These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.

Question 5

When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?

AIt contains the TargetProcessld_decimal value for other related events

BIt contains an internal value not useful for an investigation

CIt contains the ContextProcessld_decimal value for the parent process that made the DNS request

DIt contains the TargetProcessld_decimal value for the process that made the DNS request

Answer : D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ContextProcessld_decimal field contains the decimal value of the process ID of the process that generated the event1.This field can be used to trace the process lineage and identify malicious or suspicious activities1.For a DNS request event, this field indicates which process made the DNS request1.

Question 6

You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?

AUser logons after the detection

BExecutions of schtasks.exe after the detection

CScheduled tasks registered prior to the detection

DPivot to a Hash search for taskeng.exe

Answer : C

According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.

Question 7

Which of the following is an example of a MITRE ATT&CK tactic?

AEternal Blue

BDefense Evasion

CEmotet

DPhishing

Answer : B

According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.

CrowdStrike CCFR-201 CrowdStrike Certified Falcon Responder Exam Practice Test