DUMPS
BASE
EXAM DUMPS
CROWDSTRIKE
CCFH-202
28% OFF Automatically For You
CrowdStrike Certified Falcon Hunter Accelerate Your Success with the CCFH-202 Dumps V9.03 - Check CCFH-202 Free Demo Online 1.Which of the following is a suspicious process behavior?
A. PowerShell running an execution policy of RemoteSigned
B. An Internet browser (eg, Internet Explorer) performing multiple DNS requests
C. PowerShell launching a PowerShell script
D. Non-network processes (eg, notepad exe) making an outbound network
connection
Answer: D
Explanation:
Non-network processes are processes that are not expected to communicate over the
network, such as notepad.exe. If they make an outbound network connection, it could
indicate that they are compromised or maliciously used by an adversary. PowerShell
running an execution policy of RemoteSigned is a default setting that allows local
scripts to run without digital signatures. An Internet browser performing multiple DNS
requests is a normal behavior for web browsing. PowerShell launching a PowerShell
script is also a common behavior for legitimate tasks.
Reference: https://www.crowdstrike.com/blog/tech-center/detect-malicious-use-of-non-
network-processes/
2.Which field should you reference in order to find the system time of a *FileWritten
event?
A. ContextTimeStamp_decimal
B. FileTimeStamp_decimal
C. ProcessStartTime_decimal
D. timestamp
Answer: A
Explanation:
ContextTimeStamp_decimal is the field that shows the system time of the event that
triggered the sensor to send data to the cloud. In this case, it would be the time when
the file was written. FileTimeStamp_decimal is the field that shows the last modified
time of the file, which may not be the same as the time when the file was written.
ProcessStartTime_decimal is the field that shows the start time of the process that
performed the file write operation, which may not be the same as the time when the
file was written. Timestamp is the field that shows the time when the sensor data was
received by the cloud, which may not be the same as the time when the file was
written.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-
in-crowdstrike-falcon/
3.What Search page would help a threat hunter differentiate testing, DevOPs, or
general user activity from adversary behavior?
A. Hash Search
BASE
EXAM DUMPS
CROWDSTRIKE
CCFH-202
28% OFF Automatically For You
CrowdStrike Certified Falcon Hunter Accelerate Your Success with the CCFH-202 Dumps V9.03 - Check CCFH-202 Free Demo Online 1.Which of the following is a suspicious process behavior?
A. PowerShell running an execution policy of RemoteSigned
B. An Internet browser (eg, Internet Explorer) performing multiple DNS requests
C. PowerShell launching a PowerShell script
D. Non-network processes (eg, notepad exe) making an outbound network
connection
Answer: D
Explanation:
Non-network processes are processes that are not expected to communicate over the
network, such as notepad.exe. If they make an outbound network connection, it could
indicate that they are compromised or maliciously used by an adversary. PowerShell
running an execution policy of RemoteSigned is a default setting that allows local
scripts to run without digital signatures. An Internet browser performing multiple DNS
requests is a normal behavior for web browsing. PowerShell launching a PowerShell
script is also a common behavior for legitimate tasks.
Reference: https://www.crowdstrike.com/blog/tech-center/detect-malicious-use-of-non-
network-processes/
2.Which field should you reference in order to find the system time of a *FileWritten
event?
A. ContextTimeStamp_decimal
B. FileTimeStamp_decimal
C. ProcessStartTime_decimal
D. timestamp
Answer: A
Explanation:
ContextTimeStamp_decimal is the field that shows the system time of the event that
triggered the sensor to send data to the cloud. In this case, it would be the time when
the file was written. FileTimeStamp_decimal is the field that shows the last modified
time of the file, which may not be the same as the time when the file was written.
ProcessStartTime_decimal is the field that shows the start time of the process that
performed the file write operation, which may not be the same as the time when the
file was written. Timestamp is the field that shows the time when the sensor data was
received by the cloud, which may not be the same as the time when the file was
written.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-
in-crowdstrike-falcon/
3.What Search page would help a threat hunter differentiate testing, DevOPs, or
general user activity from adversary behavior?
A. Hash Search
