100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
Previously searched by you
Self-Study
Self-Study
Exam (elaborations)
Materiales de Estudio CrowdStrike CCFH-202 - Preparación Exhaustiva para el Examen CCFH-202
0 view 0 purchase
Course
Self-Study
Institution
Self-Study
Apruebe su examen CrowdStrike Certified Falcon Hunter CCFH-202 en el primer intento con los últimos materiales de estudio CrowdStrike CCFH-202. Ofrecemos una preparación exhaustiva para el examen CCFH-202, asegurando el éxito en sus aspiraciones profesionales. Nuestras preguntas del examen CCFH-...
, 1.Which of the following is a suspicious process behavior?
A. PowerShell running an execution policy of RemoteSigned
B. An Internet browser (eg, Internet Explorer) performing multiple DNS requests
C. PowerShell launching a PowerShell script
D. Non-network processes (eg, notepad exe) making an outbound network
connection
Answer: D
Explanation:
Non-network processes are processes that are not expected to communicate over the
network, such as notepad.exe. If they make an outbound network connection, it could
indicate that they are compromised or maliciously used by an adversary. PowerShell
running an execution policy of RemoteSigned is a default setting that allows local
scripts to run without digital signatures. An Internet browser performing multiple DNS
02
-2
requests is a normal behavior for web browsing. PowerShell launching a PowerShell
FH
C
script is also a common behavior for legitimate tasks.
C
en
Reference: https://www.crowdstrike.com/blog/tech-center/detect-malicious-use-of-non-
m
xa
E
network-processes/
el
ra
pa
a
iv
st
au
2.Which field should you reference in order to find the system time of a *FileWritten
xh
E
event?
n
ió
ac
A. ContextTimeStamp_decimal
par
B. FileTimeStamp_decimal
re
-P
C. ProcessStartTime_decimal
02
-2
FH
D. timestamp
C
C
Answer: A
e
ik
tr
Explanation:
dS
w
ContextTimeStamp_decimal is the field that shows the system time of the event that
ro
C
io
triggered the sensor to send data to the cloud. In this case, it would be the time when
ud
st
the file was written. FileTimeStamp_decimal is the field that shows the last modified
E
de
time of the file, which may not be the same as the time when the file was written.
s
le
ia
ProcessStartTime_decimal is the field that shows the start time of the process that
er
at
M
performed the file write operation, which may not be the same as the time when the
file was written. Timestamp is the field that shows the time when the sensor data was
received by the cloud, which may not be the same as the time when the file was
written.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-
in-crowdstrike-falcon/
3.What Search page would help a threat hunter differentiate testing, DevOPs, or
general user activity from adversary behavior?
A. Hash Search
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller ebaytter. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $0.00. You're not tied to anything after your purchase.
