CrowdStrike CCFH-202 - CrowdStrike Certified Falcon Hunter Exam
Page: 1 / 18
Total 88 questions
Question #1 (Topic: Exam A)
Which of the following is a suspicious process behavior?
A. PowerShell running an execution policy of RemoteSigned
B. An Internet browser (eg., Internet Explorer) performing multiple DNS requests
C. PowerShell launching a PowerShell script
D. Non-network processes (e.g., notepad.exe) making an outbound network connection
Answer: D
Question #2 (Topic: Exam A)
Which field should you reference in order to find the system time of a *FileWritten event?
A. ContextTimeStamp_decimal
B. FileTimeStamp_decimal
C. ProcessStartTime_decimal
D. timestamp
Answer: B
Question #3 (Topic: Exam A)
What Search page would help a threat hunter differentiate testing, DevOPs, or general user activity from adversary behavior?
A. Hash Search
B. IP Search
C. Domain Search
D. User Search
Answer: C
Question #4 (Topic: Exam A)
An analyst has sorted all recent detections in the Falcon platform to identify the oldest in an effort to determine the possible first victim host. What is this type of analysis called?
A. Visualization of hosts
B. Statistical analysis
C. Temporal analysis
D. Machine Learning
Answer: C
Question #5 (Topic: Exam A)
Falcon detected the above file attempting to execute. At initial glance, what indicators can we use to provide an initial analysis of the file?
A. VirusTotal, Hybrid Analysis, and Google pivot indicator lights enabled
B. File name, path, Local and Global prevalence within the environment
C. File path, hard disk volume number, and IOC Management action
D. Local prevalence, IOC Management action, and Event Search
Answer: B
