Online Questions – Valid Practice CCFH-202 Exam Dumps Test Questions [Q32-Q46]

Posted On October 16, 2023

Online Questions – Valid Practice CCFH-202 Exam Dumps Test Questions

100% Real CCFH-202 dumps – Brilliant CCFH-202 Exam Questions PDF

CrowdStrike CCFH-202 Exam Syllabus Topics:

Topic	Details
Topic 1	Explain what information a Source IP Search provides Explain what the “table” command does and demonstrate how it can be used for formatting output
Topic 2	Explain what information a Mac Sensor Report will provide Conduct hypothesis and hunting lead generation to prove them out using Falcon tools
Topic 3	Convert and format Unix times to UTC-readable time Evaluate information for reliability, validity and relevance for use in the process of elimination
Topic 4	Identify the vulnerability exploited from an initial attack vector Explain what information is in the Events Data Dictionary
Topic 5	Utilize the MITRE ATT&CK Framework to model threat actor behaviors Explain what information a bulk (Destination) IP search provides
Topic 6	Demonstrate how to get a Process Timeline Analyze and recognize suspicious overt malicious behaviors
Topic 7	Explain what information a Hash Execution Search provides Explain what information a Bulk Domain Search provides

NO.32 What kind of activity does a User Search help you investigate?

A history of Falcon Ul logon activity

A list of process activity executed by the specified user account

A count of failed user logon activity

A list of DNS queries by the specified user account

User Search is an Investigate tool that helps you investigate a list of process activity executed by the specified user account. It shows information such as process name, command line, parent process name, parent command line, etc. for each process that was executed by the user account on any host in your environment. It does not show a history of Falcon UI logon activity, a count of failed user logon activity, or a list of DNS queries by the specified user account.

NO.33 What information is provided when using IP Search to look up an IP address?

Both internal and external IPs

Suspicious IP addresses

External IPs only

Internal IPs only

IP Search is an Investigate tool that allows you to look up information about external IPs only. It shows information such as geolocation, network connection events, detection history, etc. for each external IP address that has communicated with your hosts. It does not show information about internal IPs, suspicious IPs, or both internal and external IPs.

NO.34 Which of the following is an example of a Falcon threat hunting lead?

A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories

Security appliance logs showing potentially bad traffic to an unknown external IP address

A help desk ticket for a user clicking on a link in an email causing their machine to become unresponsive and have high CPU usage

An external report describing a unique 5 character file extension for ransomware encrypted files

A Falcon threat hunting lead is a piece of information that can be used to initiate or guide a threat hunting activity within the Falcon platform. A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories is an example of a Falcon threat hunting lead, as it can indicate potential malicious activity that can be further investigated using Falcon data and features. Security appliance logs, help desk tickets, and external reports are not examples of Falcon threat hunting leads, as they are not directly related to the Falcon platform or data.

NO.35 Which of the following is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain?

Installing a backdoor on the victim endpoint

Discovering internet-facing servers

Emailing the intended victim with a malware attachment

Loading a malicious payload into a common DLL

Discovering internet-facing servers is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain. The RECONNAISSANCE phase is where the adversary researches and identifies targets, vulnerabilities, and attack vectors. Discovering internet-facing servers is a way for the adversary to find potential entry points or weaknesses in the target network.

NO.36 What is the difference between a Host Search and a Host Timeline?

Host Search is used for detection investigation and Host Timeline is used for proactive hunting

A Host Search organizes the data in useful event categories like process executions and network connections, a Host Timeline provides an uncategorized view of recorded events in chronological order

You access a Host Search from a detection to show you every recorded process event related to the detection and you can only populate the Host Timeline fields manually

There is no difference. You just get to them different ways

This is the difference between a Host Search and a Host Timeline. A Host Search is an Investigate tool that allows you to view events by category, such as process executions, network connections, file writes, etc. A Host Timeline is an Investigate tool that allows you to view all events in chronological order, without any categorization. Both tools can be used for detection investigation and proactive hunting, depending on the use case and preference. You can access a Host Search from a detection or manually enter the host details. You can also populate the Host Timeline fields manually or from other pages in Falcon.

NO.37 What elements are required to properly execute a Process Timeline?

Agent ID (AID) and Target Process ID

Agent ID (AID) only

Hostname and Local Process ID

Target Process ID only

The Agent ID (AID) and the Target Process ID are the elements that are required to properly execute a Process Timeline. The Agent ID (AID) is a unique identifier for each host that has a Falcon sensor installed. The Target Process ID is the decimal representation of the process identifier for the process that you want to investigate. These two elements are used to query the cloud for the events related to the process on the host. The Agent ID (AID) only, the Hostname and Local Process ID, and the Target Process ID only are not sufficient to execute a Process Timeline.

NO.38 When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName

The text of the query

The results of the Statistics tab

No data Results can only be exported when the “table” command is used

All events in the Events tab

When exporting the results of an event search, the data that is saved in the exported file depends on the mode and the tab that is selected. In this case, the mode is Verbose and the tab is Statistics, as indicated by the stats command. Therefore, the data that is saved in the exported file is the results of the Statistics tab, which shows the count of events by ComputerName. The text of the query, all events in the Events tab, and no data are not correct answers.

NO.39 Lateral movement through a victim environment is an example of which stage of the Cyber Kill Chain?

Command & Control

Actions on Objectives

Exploitation

Delivery

Lateral movement through a victim environment is an example of the Command & Control stage of the Cyber Kill Chain. The Cyber Kill Chain is a model that describes the phases of a cyber attack, from reconnaissance to actions on objectives. The Command & Control stage is where the adversary establishes and maintains communication with the compromised systems and moves laterally to expand their access and control.

NO.40 What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?

PID

Process ID or Parent Process ID

CID

Process Timeline Link

The Process Timeline Link is what you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search. The Process Timeline Link is an icon that looks like three horizontal bars with dots on them. It appears next to each process name or ID on various pages in Falcon, such as Hash Search results, Detection details, Event Search results, etc. Clicking on it will open a new tab with the Process Timeline for that process. The PID, the Process ID or Parent Process ID, and the CID are not what you click to jump to a Process Timeline.

NO.41 How do you rename fields while using transforming commands such as table, chart, and stats?

By renaming the fields with the “rename” command after the transforming command e.g. “stats count by ComputerName | rename count AS total_count”

You cannot rename fields as it would affect sub-queries and statistical analysis

By using the “renamed” keyword after the field name eg “stats count renamed totalcount by ComputerName”

By specifying the desired name after the field name eg “stats count totalcount by ComputerName”

The rename command is used to rename fields while using transforming commands such as table, chart, and stats. It can be used after the transforming command and specify the old and new field names with the AS keyword. You can rename fields as it would not affect sub-queries and statistical analysis, as long as you use the correct field names in your queries. The renamed keyword and the desired name after the field name are not valid ways to rename fields.

NO.42 While you’re reviewing Unresolved Detections in the Host Search page, you notice the User Name column contains “hostnameS ” What does this User Name indicate?

The User Name is a System User

The User Name is not relevant for the dashboard

There is no User Name associated with the event

The Falcon sensor could not determine the User Name

When you see “hostnameS” in the User Name column in the Host Search page, it means that there is no User Name associated with the event. This can happen when the event is related to a system process or service that does not have a user context. It does not mean that the User Name is a System User, that the User Name is not relevant for the dashboard, or that the Falcon sensor could not determine the User Name.

NO.43 Which threat framework allows a threat hunter to explore and model specific adversary tactics and techniques, with links to intelligence and case studies?

MITRE ATT&CK

Lockheed Martin Cyber Kill Chain

Director of National Intelligence Cyber Threat Framework

NIST 800-171 Cyber Threat Framework

MITRE ATT&CK is a threat framework that allows a threat hunter to explore and model specific adversary tactics and techniques, with links to intelligence and case studies. It is a knowledge base of adversary behaviors and tactics that covers various platforms, domains, and scenarios. It provides a common language and structure for threat hunters to understand and analyze threats, as well as to share findings and recommendations.

NO.44 In the Powershell Hunt report, what does the “score” signify?

Number of hosts that ran the PowerShell script

How recently the PowerShell script executed

Maliciousness score determined by NGAV

A cumulative score of the various potential command line switches

In the Powershell Hunt report, the score signifies a cumulative score of the various potential command line switches that were used in the PowerShell script execution. The score is based on a weighted system that assigns different values to different switches based on their potential maliciousness or usefulness for threat hunting. For example, -EncodedCommand has a higher value than -NoProfile. The score does not signify the number of hosts that ran the PowerShell script, how recently the PowerShell script executed, or the maliciousness score determined by NGAV.

NO.45 In the MITRE ATT&CK Framework (version 11 – the newest version released in April 2022), which of the following pair of tactics is not in the Enterprise: Windows matrix?

Persistence and Execution

Impact and Collection

Privilege Escalation and Initial Access

Reconnaissance and Resource Development

Reconnaissance and Resource Development are two tactics that are not in the Enterprise: Windows matrix of the MITRE ATT&CK Framework (version 11). These two tactics are part of the PRE-ATT&CK matrix, which covers the actions that adversaries take before compromising a target. The Enterprise: Windows matrix covers the actions that adversaries take after gaining initial access to a Windows system. Persistence, Execution, Impact, Collection, Privilege Escalation, and Initial Access are all tactics that are in the Enterprise: Windows matrix.

NO.46 To view Files Written to Removable Media within a specified timeframe on a host within the Host Search page, expand and refer to the _______dashboard panel.

Command Line and Admin Tools

Processes and Services

Registry, Tasks, and Firewall

Suspicious File Activity

To view Files Written to Removable Media within a specified timeframe on a host within the Host Search page, you need to expand and refer to the Suspicious File Activity dashboard panel. The Suspicious File Activity dashboard panel shows information such as files written to removable media, files written to system directories by non-system processes, files written to startup folders, etc. The other dashboard panels do not show files written to removable media.

Loading …