Pass the CrowdStrike CCFH CCFH-202b Questions and answers with ExamsMirror

In the context of the MITRE ATT & CK Framework , the creation of a scheduled task is a quintessential technique within the Persistence tactic (specifically T1053). Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their flow. By scheduling a task to execute a remote management application, the attacker ensures that their connection to the compromised host is maintained automatically without requiring manual re-exploitation.

Within the Falcon platform, hunters monitor for this behavior by analyzing events such as ScheduledTaskRegistered or process executions originating from taskeng.exe or schtasks.exe. While scheduled tasks can occasionally be used for Privilege Escalation (if the task runs with SYSTEM privileges) or Execution , the primary goal of creating a permanent task for a management application is to ensure long-term, stable access to the environment. Effective hunting methodology involves pivoting from the detection of a new scheduled task to identifying the source process that created it. This allows the analyst to determine if the task was part of a legitimate administrative action or an unauthorized persistence mechanism designed to facilitate further malicious activity, such as data exfiltration or internal reconnaissance.

==========

In the CrowdStrike Query Language (CQL) used within the LogScale-powered Advanced Event Search, the groupBy() function is the essential tool for data aggregation and summarization. As observed in the first image, Line 2 of the query (partially obscured) utilizes the function= parameter to define multiple aggregate calculations, such as count(aid, distinct=true) and count(aid). This syntax is the hallmark of a groupBy statement.

The results shown in the subsequent images display a table where each row is unique to a specific SHA256HashData . This indicates that the data has been grouped by that specific field to provide a summary of its activity across the environment. The groupBy function allows a hunter to take millions of individual process events and collapse them into a readable format that highlights uniqueEndpoints and totalExecutions per file hash.

This methodology is fundamental to Hunting Analytics , specifically for performing Least Frequency Analysis . By grouping by the hash and counting the unique endpoints, an analyst can quickly identify binaries that are running on only one or two systems—a common characteristic of targeted malware or custom hacking tools. While functions like table (Option C) are used to format the final display and eval (Option A) is used for field transformations, only groupBy provides the structural aggregation required to generate the multi-column statistical overview seen in the results.

In global incident response, timestamps are typically stored in the Falcon platform as Unix epoch time (UTC). To make this data readable and relevant to local investigators, the formatTime() function is used within Event Search to convert these raw numbers into human-readable strings. The timezone parameter is the specific argument required to adjust the output from the default UTC to a specific regional clock, such as Central European Summer Time.

While the format parameter defines how the date appears (e.g., YYYY-MM-DD), and locale might influence language-specific formatting (like month names), only the timezone parameter correctly offsets the hours based on geographic location and Daylight Saving Time rules. For a hunter, providing logs in the correct timezone is not just a matter of convenience; it is essential for correlating Falcon data with other local logs, such as physical badge access records or firewall logs that may be set to local time. Accurate time synchronization across different data sources is vital during the "reconstruction" phase of a hunt to ensure that the sequence of adversary events is perfectly aligned with the real-world timeline of the breach. Utilizing the timezone parameter ensures that the investigation team can accurately determine exactly when a malicious action occurred relative to their own working hours.

==========

This query is a sophisticated example of using Event Search to visualize potential external threats. The key to identifying the purpose lies in the LogonType=10 filter. In Windows event logging, Logon Type 10 specifically refers to Remote Interactive logons, which are almost exclusively associated with Remote Desktop Protocol (RDP) sessions. By combining this with RemoteAddressIP4=*, the hunter is isolating instances where a user has accessed a system remotely.

The query then utilizes the !cidr function (the exclamation mark denotes a "NOT" operation) to exclude all internal and private IP ranges defined by RFC 1918 (such as 10.x.x.x and 192.168.x.x) as well as loopback and multicast addresses. This ensures that the resulting dataset only contains logons originating from external/public IP addresses . The ipLocation function enriches these external IPs with geographic metadata (city, country, coordinates), and the worldMap function aggregates this data to plot the origin of these RDP connections onto a global map. For a hunter, this is a vital tool for detecting "Impossible Travel" scenarios or identifying unauthorized access attempts from high-risk geographic regions. Visualizing the magnitude of connections per aid (Agent ID) allows the analyst to quickly spot which specific endpoints are being targeted by external RDP brute-force or credential stuffing attacks.

The Falcon platform includes a dedicated category of built-in dashboards and visualizations known as Hunt reports . These reports are specifically engineered to surface high-confidence behavioral anomalies that do not necessarily trigger a standard malware detection but are statistically or contextually suspicious. They serve as a "proactive starting point" for analysts within the Reports and References section of the console.

Examples of Hunt reports include dashboards that identify executables running from the Recycle Bin, unusual parent-child process relationships (like cmd.exe spawned from sqlservr.exe), or suspicious usage of dual-use tools like psexec.exe or wmic.exe. Unlike standard "Detection Activity" reports, which show what the sensor has already caught, Hunt reports are designed to help the analyst find the "undiscovered" threats. Utilizing these reports is a core part of an advanced Hunting Methodology , allowing a team to move from reactive response to proactive threat discovery. By regularly reviewing these reports, a hunter can identify low-frequency, high-impact events that might represent an advanced adversary's initial reconnaissance or persistence efforts that have managed to stay below the threshold of an automated alert.

In the context of Search and Investigation Tools , tracking the use of unauthorized or unencrypted USB storage devices is a critical component of internal threat hunting and data loss prevention (DLP). The Falcon sensor records these hardware interactions using the specific event name RemovableMediaVolumeMounted . This event is triggered whenever the operating system successfully mounts a removable storage volume, such as a USB flash drive or an external hard disk.

Option A is the correct CrowdStrike Query Language (CQL) syntax because it pairs the appropriate event with fields that provide meaningful forensic context. Fields like VolumeDriveLetter identify which logical drive was assigned (e.g., E: or F:), while VolumeFileSystemDevice and VolumeFileSystemDriver offer technical details about the hardware interface and the driver utilized to facilitate the mount.

Conversely, Option B selects fields that are relevant to process execution and network connectivity (like hashes and IP addresses), which are not typically populated in a volume mount event. Option C focuses on ProcessRollup2 , which tracks the starting of executables rather than hardware mounts. Option D utilizes FsVolumeMounted, which is a broader event that includes internal fixed partitions and network drives, making it less precise for hunting specifically for "removable" media. By utilizing the query in Option A, a hunter can build a timeline of when external devices were connected to the environment, allowing them to correlate these mounts with subsequent file writes or "Exfiltration" behaviors.

In the context of Hunting Analytics , identifying the exploitation of CVE-2021-44228 (Log4j) requires looking for specific patterns associated with the Java Naming and Directory Interface (JNDI). The vulnerability allows an attacker to send a specially crafted string—often via an HTTP header or input field—that the Log4j library then parses and executes, leading to a remote JNDI lookup and subsequent code execution.

The event #event_simpleName=ScriptControlDetectInfo is particularly effective for this hunt because it provides visibility into the actual scripts and commands being interpreted and executed by the system. By searching the ScriptContent field for the regex /.*jndi:\w{1,5}:?\}?\/\/.*\}/i, a hunter can identify the tell-tale signature of a Log4j exploit payload, such as ${jndi:ldap://...}. While Option B targets the HttpRequestHeader, this requires specific network-level visibility that might not always be present or indexed in the same way as script execution telemetry. The ScriptControlDetectInfo event captures the payload when it interacts with the underlying system's script engines, providing a more definitive link between the exploit attempt and the resulting malicious activity on the Linux host. Using this granular level of visibility allows hunters to distinguish between a simple probe (network level) and an active exploitation attempt where the malicious string is being processed by the application's runtime environment.

When conducting an Event Search using the CrowdStrike Query Language (CQL) , precision in naming event types is paramount. The Falcon sensor records the creation and modification of scheduled tasks under the specific event name ScheduledTaskRegistered . This event is highly valuable for hunters investigating Persistence (MITRE T1053), as it captures the specific details of the task, including the command to be executed, the frequency of the trigger, and the identity of the user who created it.

Option B is the correct query because it directly targets the administrative action of task registration and filters the results by the UserName field to isolate actions taken by "Doris." Option A is incorrect as it looks for files with a specific extension, and Option C focuses on the Task Manager GUI process (taskmgr.exe), which is not the process responsible for the actual background registration of tasks (that is typically handled by svchost.exe or schtasks.exe). Option D uses a non-existent event name. By using the ScheduledTaskRegistered event, a hunter can immediately see if an account—potentially a compromised one—is being used to establish a long-term foothold in the environment. This search is a core component of a "Persistence Hunt," where the goal is to find unauthorized automation that allows an attacker's code to survive system reboots and credential rotations.

In the realm of Hunting Analytics , the ability to quantify data is the first step toward identifying outliers—the "needles in the haystack." The stats() function in Advanced Event Search (LogScale) is the most versatile tool for this purpose. While groupBy() is used to organize data into buckets, stats() is required to perform mathematical aggregations such as count(), sum(), avg(), or stdDev().

To identify outliers, a hunter typically wants to see which events occur with the lowest frequency (Least-Frequency Analysis) or which values deviate significantly from the mean. By appending | stats(count(), function=[...]) to a query, the analyst transforms raw event logs into a statistical summary. For example, a hunter might use stats() to count the number of unique external IP connections per process; a process that normally connects to one IP but suddenly c onnects to 500 would stand out as a clear outlier. This quantification is what allows a hunter to move from "searching" to "analyzing." While eval() is used for calculating new fields and sample() is used for performance testing on large datasets, stats() provides the numerical foundation necessary for sophisticated behavioral baselining and the detection of anomalous activity that doesn't trigger standard signature-based alerts.

==========

In the event of a widespread ransomware outbreak, the primary objective of the Hunting Methodology shifts toward identifying "Patient Zero"—the first system compromised in the environment. While reverse engineering (Option D) and vulnerability management (Option C) provide long-term value, they do not offer the immediate forensic clarity needed to stop an active spread or identify the entry point. By utilizing Advanced Event Search to create a chronological timeline of file encryption events (typically identified by high-frequency fswrite operations or specific ransom note creation), a hunter can pinpoint the exact timestamp and host where the activity originated.

This process involves searching for the earliest instances of the ransomware's execution or the first signs of large-scale file modifications across the entire fleet. Once the first system is identified, the analyst can then pivot to look for the activity that occurred prior to the encryption, such as a suspicious email attachment execution, a web-based exploit, or a compromised RDP session. This "backwards-looking" investigation is essential for determining the initial delivery mechanism. Identifying the source host allows the security team to isolate the breach at its root, invalidate compromised credentials used for the initial access, and ensure that remediation efforts are not just treating the symptoms (the encrypted files) but addressing the actual cause of the enterprise-wide infection.