Pass4Future also provide interactive practice exam software for preparing CrowdStrike Certified Falcon Hunter (CCFH-202) Exam effectively. You are welcome to explore sample free CrowdStrike CCFH-202 Exam questions below and also try CrowdStrike CCFH-202 Exam practice test software.
Do you know that you can access more real CrowdStrike CCFH-202 exam questions via Premium Access? ()
Adversaries commonly execute discovery commands such as netexe, ipconfig.exe, and whoami exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query?
Answer : A
The OR operator is needed to complete the following query, as it allows to search for events that match any of the specified values. The query would look like this:
event_simpleName=ProcessRollup2 FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe
The OR operator is used to combine multiple search terms or expressions and return events that match at least one of them. The IN, NOT, and AND operators are not suitable for this query, as they have different functions and meanings.
You would like to search for ANY process execution that used a file stored in the Recycle Bin on a Windows host. Select the option to complete the following EAM query.
Answer : B
This option is the correct one to complete the following EAM query:
event_simpleName=ProcessRollup2 FileName=$Recycle Bin
This query would search for any process execution that used a file stored in the Recycle Bin on a Windows host, as the asterisk (*) is a wildcard character that matches any number of characters before or after the specified string. The other options are not correct, as they use different wildcard characters that do not match the desired pattern.
Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?
Answer : A
This is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers. The stats command is used to calculate summary statistics on the results of a search or subsearch, such as count, sum, average, etc. The count by option is used to count the number of events for each distinct value of a field or fields and display them in a table. This can help find rare or common values that could indicate anomalies or deviations from normal behavior.
Refer to Exhibit.
What type of attack would this process tree indicate?
Answer : C
This process tree indicates a phishing attack, as it shows a user opening an email attachment (outlook.exe) that launches a malicious macro (cmd.exe) that downloads and executes a payload (powershell.exe) that connects to a remote server (svchost.exe). A phishing attack is a type of social engineering attack that uses deceptive emails or messages to trick users into opening malicious attachments or links that can compromise their systems or credentials.
Which pre-defined reports offer information surrounding activities that typically indicate suspicious activity occurring on a system?
Answer : B
Hunt reports are pre-defined reports that offer information surrounding activities that typically indicate suspicious activity occurring on a system. They are based on common threat hunting use cases and queries, and they provide visualizations and summaries of the results. Hunt reports can help threat hunters quickly identify and investigate potential threats in their environment.
