CCFH-202 Exam QuestionsBrowse all questions from this exam

CCFH-202 Exam - Question 58


During an investigation you find out that files are being written to disc by a malicious process. While many are displayed in the detections as context items, you want to see all files written to your host by this process.

What Splunk search would work for this scenario?

Show Answer
Correct Answer: A

To identify all files written by a specific malicious process, you should use the relevant event type and the correct process identifier field. The search query 'event_simpleName=*written ComputerName=MyPC ContextProcessId_decimal=0123456789' will display all files written by the process with the given ID running on MyPC. This query focuses on 'written' events and uses the 'ContextProcessId' which accurately identifies the source process as mentioned in the question.

Discussion

2 comments
Sign in to comment
kangaruOption: A
Jan 14, 2024

C is wrong. TargetProcessId_decimal is not a valid field in *FileWritten events. You would use ContextProcessId to trace back its spawner.

e4e38c0Option: D
Jul 11, 2024

C is wrong, as the question specifically asking for Context and not the created one