CrowdStrike Certified
Falcon Hunter
, 1.Which of the following is a suspicious process behavior?
A. PowerShell running an execution policy of RemoteSigned
B. An Internet browser (eg, Internet Explorer) performing multiple DNS requests
C. PowerShell launching a PowerShell script
D. Non-network processes (eg, notepad exe) making an outbound network
connection
Answer: D
Explanation:
Non-network processes are processes that are not expected to communicate over the
network, such as notepad.exe. If they make an outbound network connection, it could
indicate that they are compromised or maliciously used by an adversary. PowerShell
running an execution policy of RemoteSigned is a default setting that allows local
scripts to run without digital signatures. An Internet browser performing multiple DNS
02
-2
requests is a normal behavior for web browsing. PowerShell launching a PowerShell
FH
C
script is also a common behavior for legitimate tasks.
C
en
Reference: https://www.crowdstrike.com/blog/tech-center/detect-malicious-use-of-non-
m
xa
E
network-processes/
el
ra
pa
a
iv
st
au
2.Which field should you reference in order to find the system time of a *FileWritten
xh
E
event?
n
ió
ac
A. ContextTimeStamp_decimal
par
B. FileTimeStamp_decimal
re
-P
C. ProcessStartTime_decimal
02
-2
FH
D. timestamp
C
C
Answer: A
e
ik
tr
Explanation:
dS
w
ContextTimeStamp_decimal is the field that shows the system time of the event that
ro
C
io
triggered the sensor to send data to the cloud. In this case, it would be the time when
ud
st
the file was written. FileTimeStamp_decimal is the field that shows the last modified
E
de
time of the file, which may not be the same as the time when the file was written.
s
le
ia
ProcessStartTime_decimal is the field that shows the start time of the process that
er
at
M
performed the file write operation, which may not be the same as the time when the
file was written. Timestamp is the field that shows the time when the sensor data was
received by the cloud, which may not be the same as the time when the file was
written.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-
in-crowdstrike-falcon/
3.What Search page would help a threat hunter differentiate testing, DevOPs, or
general user activity from adversary behavior?
A. Hash Search