This page was exported from Exams Labs Braindumps [ http://blog.examslabs.com ] Export date:Sat Nov 23 8:20:25 2024 / +0000 GMT ___________________________________________________ Title: CrowdStrike CCFH-202 Exam Prep Guide Prep guide for the CCFH-202 Exam [Q35-Q53] --------------------------------------------------- CrowdStrike CCFH-202 Exam Prep Guide: Prep guide for the CCFH-202 Exam 2024 New Preparation Guide of CrowdStrike CCFH-202 Exam Q35. Refer to Exhibit.What type of attack would this process tree indicate?  Brute Forcing Attack  Man-in-the-middle Attack  Phishing Attack  Web Application Attack This process tree indicates a phishing attack, as it shows a user opening an email attachment (outlook.exe) that launches a malicious macro (cmd.exe) that downloads and executes a payload (powershell.exe) that connects to a remote server (svchost.exe). A phishing attack is a type of social engineering attack that uses deceptive emails or messages to trick users into opening malicious attachments or links that can compromise their systems or credentials.Q36. How do you rename fields while using transforming commands such as table, chart, and stats?  By renaming the fields with the “rename” command after the transforming command e.g. “stats count by ComputerName | rename count AS total_count”  You cannot rename fields as it would affect sub-queries and statistical analysis  By using the “renamed” keyword after the field name eg “stats count renamed totalcount by ComputerName”  By specifying the desired name after the field name eg “stats count totalcount by ComputerName” The rename command is used to rename fields while using transforming commands such as table, chart, and stats. It can be used after the transforming command and specify the old and new field names with the AS keyword. You can rename fields as it would not affect sub-queries and statistical analysis, as long as you use the correct field names in your queries. The renamed keyword and the desired name after the field name are not valid ways to rename fields.Q37. You need details about key data fields and sensor events which you may expect to find from Hosts running the Falcon sensor. Which documentation should you access?  Events Data Dictionary  Streaming API Event Dictionary  Hunting and Investigation  Event stream APIs The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because it provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console. The Events Data Dictionary describes each event type, field name, data type, description, and example value that can be used to query and analyze event data. The Streaming API Event Dictionary, Hunting and Investigation, and Event stream APIs are not documentation that provide details about key data fields and sensor events.Q38. The Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns when the cloudable Event data contains which event field?  ContextProcessld_decimal  RawProcessld_decimal  ParentProcessld_decimal  RpcProcessld_decimal The ParentProcessld_decimal event field is what the Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns with when the cloudable Event data contains it. The ParentProcessld_decimal event field is the decimal representation of the process identifier for the parent process of the target process. It can be used to trace the process ancestry and identify potential malicious activity. The ContextProcessld_decimal, RawProcessld_decimal, and RpcProcessld_decimal event fields are not used to populate the Parent Process ID and the Parent File columns.Q39. Adversaries commonly execute discovery commands such as netexe, ipconfig.exe, and whoami exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query?  OR  IN  NOT  AND The OR operator is needed to complete the following query, as it allows to search for events that match any of the specified values. The query would look like this:event_simpleName=ProcessRollup2 FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe The OR operator is used to combine multiple search terms or expressions and return events that match at least one of them. The IN, NOT, and AND operators are not suitable for this query, as they have different functions and meanings.Q40. The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because:  It provides pre-defined queries you can customize to meet your specific threat hunting needs  It provides a list of all the detect names and descriptions found in the Falcon Cloud  It provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console  It provides a list of compatible splunk commands used to query event data This is the correct answer for the same reason as above. The Events Data Dictionary provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console, which is useful for writing hunting queries. It does not provide pre-defined queries, detect names and descriptions, or compatible splunk commands.Q41. What is the main purpose of the Mac Sensor report?  To identify endpoints that are in Reduced Functionality Mode  To provide a summary view of selected activities on Mac hosts  To provide vulnerability assessment for Mac Operating Systems  To provide a dashboard for Mac related detections The Mac Sensor report is a pre-defined report that provides a summary view of selected activities on Mac hosts. It shows information such as process execution events, network connection events, file write events, etc. that occurred on Mac hosts within a specified time range. The Mac Sensor report does not identify endpoints that are in Reduced Functionality Mode, provide vulnerability assessment for Mac Operating Systems, or provide a dashboard for Mac related detections.Q42. Which of the following best describes the purpose of the Mac Sensor report?  The Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed  The Mac Sensor report provides a detection focused view of known malicious activities occurring on Mac hosts, including machine-learning and indicator-based detections  The Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed  The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads This is the correct answer for the same reason as above. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads. It does not display a listing of all Mac hosts with or without a Falcon sensor installed, nor does it provide a detection focused view of known malicious activities occurring on Mac hosts.Q43. Which of the following is TRUE about a Hash Search?  Wildcard searches are not permitted with the Hash Search  The Hash Search provides Process Execution History  The Hash Search is available on Linux  Module Load History is not presented in a Hash Search The Hash Search is an Investigate tool that allows you to search for a file hash and view its process execution history across all hosts in your environment. It shows information such as process name, command line, parent process name, parent command line, etc. for each execution of the file hash. Wildcard searches are permitted with the Hash Search, as long as they are at least four characters long. The Hash Search is available on Linux, as well as Windows and Mac OS X. Module Load History is presented in a Hash Search, along with other information such as File Write History and Detection History.Q44. Which Falcon documentation guide should you reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts?  Hunting and Investigation  Customizable Dashboards  MITRE-Based Falcon Detections Framework  Events Data Dictionary The Hunting and Investigation guide is the Falcon documentation guide that you should reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts. The Hunting and Investigation guide provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It covers various topics such as process execution, network connections, registry activity, scheduled tasks, and more.Q45. What information is provided from the MITRE ATT&CK framework in a detection’s Execution Details?  Grouping Tag  Command Line  Technique ID  Triggering Indicator Technique ID is the information that is provided from the MITRE ATT&CK framework in a detection’s Execution Details. Technique ID is a unique identifier for each technique in the MITRE ATT&CK framework, such as T1059 for Command and Scripting Interpreter or T1566 for Phishing. Technique ID helps to map a detection to a specific adversary behavior and tactic. Grouping Tag, Command Line, and Triggering Indicator are not information that is provided from the MITRE ATT&CK framework in a detection’s Execution Details.Q46. Which document provides information on best practices for writing Splunk-based hunting queries, predefined queries which may be customized to hunt for suspicious network connections, and predefined queries which may be customized to hunt for suspicious processes?  Real Time Response and Network Containment  Hunting and Investigation  Events Data Dictionary  Incident and Detection Monitoring The Hunting and Investigation document provides information on best practices for writing Splunk-based hunting queries, predefined queries which may be customized to hunt for suspicious network connections, and predefined queries which may be customized to hunt for suspicious processes. As explained above, the Hunting and Investigation document is a guide that provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. The other documents do not provide the same information.Q47. When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName  The text of the query  The results of the Statistics tab  No data Results can only be exported when the “table” command is used  All events in the Events tab When exporting the results of an event search, the data that is saved in the exported file depends on the mode and the tab that is selected. In this case, the mode is Verbose and the tab is Statistics, as indicated by the stats command. Therefore, the data that is saved in the exported file is the results of the Statistics tab, which shows the count of events by ComputerName. The text of the query, all events in the Events tab, and no data are not correct answers.Q48. Which of the following is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain?  Installing a backdoor on the victim endpoint  Discovering internet-facing servers  Emailing the intended victim with a malware attachment  Loading a malicious payload into a common DLL Discovering internet-facing servers is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain. The RECONNAISSANCE phase is where the adversary researches and identifies targets, vulnerabilities, and attack vectors. Discovering internet-facing servers is a way for the adversary to find potential entry points or weaknesses in the target network.Q49. In the MITRE ATT&CK Framework (version 11 – the newest version released in April 2022), which of the following pair of tactics is not in the Enterprise: Windows matrix?  Persistence and Execution  Impact and Collection  Privilege Escalation and Initial Access  Reconnaissance and Resource Development Reconnaissance and Resource Development are two tactics that are not in the Enterprise: Windows matrix of the MITRE ATT&CK Framework (version 11). These two tactics are part of the PRE-ATT&CK matrix, which covers the actions that adversaries take before compromising a target. The Enterprise: Windows matrix covers the actions that adversaries take after gaining initial access to a Windows system. Persistence, Execution, Impact, Collection, Privilege Escalation, and Initial Access are all tactics that are in the Enterprise: Windows matrix.Q50. Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?  Using the “| stats count by” command at the end of a search string in Event Search  Using the “|stats count” command at the end of a search string in Event Search  Using the “|eval” command at the end of a search string in Event Search  Exporting Event Search results to a spreadsheet and aggregating the results This is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers. The stats command is used to calculate summary statistics on the results of a search or subsearch, such as count, sum, average, etc. The count by option is used to count the number of events for each distinct value of a field or fields and display them in a table. This can help find rare or common values that could indicate anomalies or deviations from normal behavior.Q51. Which pre-defined reports offer information surrounding activities that typically indicate suspicious activity occurring on a system?  Scheduled searches  Hunt reports  Sensor reports  Timeline reports Hunt reports are pre-defined reports that offer information surrounding activities that typically indicate suspicious activity occurring on a system. They are based on common threat hunting use cases and queries, and they provide visualizations and summaries of the results. Hunt reports can help threat hunters quickly identify and investigate potential threats in their environment.Q52. SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time Which eval function is correct^  strftime  relative time  typeof  now The strftime eval function is used to convert Unix times (Epoch) into UTC readable time. It takes two arguments: a Unix time field and a format string that specifies how to display the time. The now, typeof, and relative_time eval functions are not used to convert Unix times into UTC readable time.Q53. To find events that are outliers inside a network,___________is the best hunting method to use.  time-based  machine learning  searching  stacking Stacking (Frequency Analysis) is the best hunting method to use to find events that are outliers inside a network. Stacking involves grouping events by a common attribute and counting their frequency, then sorting them by ascending or descending order to identify rare or common events. This can help find anomalies or deviations from normal behavior that could indicate malicious activity. Time-based searching, machine learning, and searching are not specific hunting methods to find outliers. Loading … Latest Questions CCFH-202 Guide to Prepare Free Practice Tests: https://www.examslabs.com/CrowdStrike/CrowdStrike-Certified-Falcon-Hunter/best-CCFH-202-exam-dumps.html --------------------------------------------------- Images: https://blog.examslabs.com/wp-content/plugins/watu/loading.gif https://blog.examslabs.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2024-03-23 14:53:20 Post date GMT: 2024-03-23 14:53:20 Post modified date: 2024-03-23 14:53:20 Post modified date GMT: 2024-03-23 14:53:20