CrowdStrike CCFH-202 Exam Prep Guide Prep guide for the CCFH-202 Exam [Q35-Q53]

March 23, 2024 CCFH-202, CrowdStrike 0 Comments

CrowdStrike CCFH-202 Exam Prep Guide Prep guide for the CCFH-202 Exam [Q35-Q53]

Rate this post

CrowdStrike CCFH-202 Exam Prep Guide: Prep guide for the CCFH-202 Exam

2024 New Preparation Guide of CrowdStrike CCFH-202 Exam

Q35. Refer to Exhibit.

What type of attack would this process tree indicate?

Brute Forcing Attack

Man-in-the-middle Attack

Phishing Attack

Web Application Attack

Q36. How do you rename fields while using transforming commands such as table, chart, and stats?

By renaming the fields with the “rename” command after the transforming command e.g. “stats count by ComputerName | rename count AS total_count”

You cannot rename fields as it would affect sub-queries and statistical analysis

By using the “renamed” keyword after the field name eg “stats count renamed totalcount by ComputerName”

By specifying the desired name after the field name eg “stats count totalcount by ComputerName”

Q37. You need details about key data fields and sensor events which you may expect to find from Hosts running the Falcon sensor. Which documentation should you access?

Events Data Dictionary

Streaming API Event Dictionary

Hunting and Investigation

Event stream APIs

Q38. The Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns when the cloudable Event data contains which event field?

ContextProcessld_decimal

RawProcessld_decimal

ParentProcessld_decimal

RpcProcessld_decimal

Q39. Adversaries commonly execute discovery commands such as netexe, ipconfig.exe, and whoami exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query?

NOT

AND

Q40. The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because:

It provides pre-defined queries you can customize to meet your specific threat hunting needs

It provides a list of all the detect names and descriptions found in the Falcon Cloud

It provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console

It provides a list of compatible splunk commands used to query event data

Q41. What is the main purpose of the Mac Sensor report?

To identify endpoints that are in Reduced Functionality Mode

To provide a summary view of selected activities on Mac hosts

To provide vulnerability assessment for Mac Operating Systems

To provide a dashboard for Mac related detections

Q42. Which of the following best describes the purpose of the Mac Sensor report?

The Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed

The Mac Sensor report provides a detection focused view of known malicious activities occurring on Mac hosts, including machine-learning and indicator-based detections

The Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed

The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads

Q43. Which of the following is TRUE about a Hash Search?

Wildcard searches are not permitted with the Hash Search

The Hash Search provides Process Execution History

The Hash Search is available on Linux

Module Load History is not presented in a Hash Search

Q44. Which Falcon documentation guide should you reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts?

Hunting and Investigation

Customizable Dashboards

MITRE-Based Falcon Detections Framework

Events Data Dictionary

Q45. What information is provided from the MITRE ATT&CK framework in a detection’s Execution Details?

Grouping Tag

Command Line

Technique ID

Triggering Indicator

Q46. Which document provides information on best practices for writing Splunk-based hunting queries, predefined queries which may be customized to hunt for suspicious network connections, and predefined queries which may be customized to hunt for suspicious processes?

Real Time Response and Network Containment

Hunting and Investigation

Events Data Dictionary

Incident and Detection Monitoring

Q47. When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName

The text of the query

The results of the Statistics tab

No data Results can only be exported when the “table” command is used

All events in the Events tab

Q48. Which of the following is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain?

Installing a backdoor on the victim endpoint

Discovering internet-facing servers

Emailing the intended victim with a malware attachment

Loading a malicious payload into a common DLL

Q49. In the MITRE ATT&CK Framework (version 11 – the newest version released in April 2022), which of the following pair of tactics is not in the Enterprise: Windows matrix?

Persistence and Execution

Impact and Collection

Privilege Escalation and Initial Access

Reconnaissance and Resource Development

Q50. Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?

Using the “| stats count by” command at the end of a search string in Event Search

Using the “|stats count” command at the end of a search string in Event Search

Using the “|eval” command at the end of a search string in Event Search

Exporting Event Search results to a spreadsheet and aggregating the results

Q51. Which pre-defined reports offer information surrounding activities that typically indicate suspicious activity occurring on a system?

Scheduled searches

Hunt reports