Certified Falcon Hunter

Here you have the best CrowdStrike CCFH-202 practice exam questions

You have 59 total questions to study from
Each page has 5 questions, making a total of 12 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on November 15, 2024

Question 1 of 59

Which of the following is a suspicious process behavior?

PowerShell running an execution policy of RemoteSigned

An Internet browser (eg., Internet Explorer) performing multiple DNS requests

PowerShell launching a PowerShell script

Non-network processes (e.g., notepad.exe) making an outbound network connection

Correct Answer: D

A non-network process like notepad.exe making an outbound network connection is highly suspicious because such applications generally do not require internet access. This behavior could indicate that malware is attempting to establish communication with a remote server or exfiltrate data, making it a significant red flag for potential malicious activity.

Question 2 of 59

Which field should you reference in order to find the system time of a *FileWritten event?

ContextTimeStamp_decimal

FileTimeStamp_decimal

ProcessStartTime_decimal

timestamp

Correct Answer: A

The correct field to reference for finding the system time of a *FileWritten event is 'ContextTimeStamp_decimal'. This field indicates the time at which an event occurred on the system as seen by the sensor. It captures the system time of the event, which is what is required to determine when the FileWritten event took place.

Question 3 of 59

What Search page would help a threat hunter differentiate testing, DevOPs, or general user activity from adversary behavior?

Hash Search

IP Search

Domain Search

User Search

Correct Answer: D

To differentiate testing, DevOps, or general user activity from adversary behavior, a threat hunter would benefit from a User Search page. This page allows the correlation of user activity across endpoints and helps identify anomalous or suspicious user actions, such as logging into multiple systems, running unusual commands, or accessing sensitive files, which are indicative of adversary behavior.

Question 4 of 59

An analyst has sorted all recent detections in the Falcon platform to identify the oldest in an effort to determine the possible first victim host. What is this type of analysis called?

Visualization of hosts

Statistical analysis

Temporal analysis

Machine Learning

Correct Answer: C

The type of analysis described involves sorting detections based on their timestamps to identify the first occurrence or oldest detection. This approach, focusing on the timing and sequence of events, is known as temporal analysis.

Question 5 of 59

Falcon detected the above file attempting to execute. At initial glance, what indicators can we use to provide an initial analysis of the file?

VirusTotal, Hybrid Analysis, and Google pivot indicator lights enabled

File name, path, Local and Global prevalence within the environment

File path, hard disk volume number, and IOC Management action

Local prevalence, IOC Management action, and Event Search

Correct Answer: B

For the initial analysis of the file detected by Falcon, the most relevant indicators are the file name and path, as well as the file's local and global prevalence within the environment. These indicators provide crucial information about the file's origin, its location within the system, and how commonly the file is encountered both locally and globally. This helps in assessing the potential risk and determining whether the file is likely to be malicious or benign.