CCFH-202b CrowdStrike Certified Falcon Hunter Questions and Answers

Within the LogScale-powered Advanced Event Search , the groupBy() function is the primary analytical tool for aggregating high-volume data into meaningful summaries. When dealing with the #repo=detections repository, an analyst is often overwhelmed by the sheer number of individual alerts. By grouping the results by FileName and CommandLine, the hunter can effectively "stack" similar malicious activities, allowing them to identify widespread patterns—such as a specific script being executed across hundreds of hosts—rather than triaging each event in isolation.

The function=collect([ComputerName]) argument is particularly valuable in Hunting Analytics as it creates a list of all unique endpoints associated with each specific process/command-line combination. This provides an immediate view of the "blast radius" for a particular detection. While the stats function is often used for mathematical calculations like counting or averaging, groupBy is the standard and most efficient syntax for organizational clustering in the Falcon environment. Using the limit=max parameter ensures that the query doesn't truncate the results, providing a complete picture of the activity across the 90-day window. This methodology transforms a raw list of detections into structured threat intelligence, enabling the hunter to prioritize remediation for the most prevalent or geographically widespread threats first.

The Falcon platform provides specialized Search and Investigation Tools tailored to different forensic starting points. When the pivot point of an investigation is a specific person or account rather than a file or a machine, the User Search dashboard is the most effective tool. While a Host Search would show everything happening on a specific computer (which might include activity from multiple users or system services), the User Search aggregates all activity associated with a specific Username across the entire environment.

By entering the suspect's username into this dashboard, a hunter can view a comprehensive list of all processes, command-line arguments, and network connections initiated under that user’s credentials, regardless of which endpoint they logged into. This is particularly useful for identifying "Insider Threats" or "Privilege Abuse," where an admin might be using net.exe to modify groups or psexec.exe to move laterally. The User Search provides a chronological view of that user's actions, making it easy to spot unauthorized administrative behavior that deviates from their standard job duties. Once a suspicious command is found in the User Search, the analyst can then pivot to the Process Timeline or Process Context for deeper technical inspection of that specific execution.

In Event Search , correlating the full scope of a process's activity requires an understanding of the "Process ID Trinity." When the process reallysus.exe is executed, its primary identity is captured in a ProcessRollup2 event under the TargetProcessId . However, searching only for the TargetProcessId would merely return the process start record. To see the actions the process performed—such as connecting to a malicious IP or writing a persistence key—the hunter must also search for the ContextProcessId .

The ContextProcessId is used in all telemetry events generated by that process. Furthermore, for cross-process activity initiated via Remote Procedure Calls, the RpcClientProcessId may be involved. By using the OR operator to combine TargetProcessId, ContextProcessId, and RpcClientProcessId in a single query, the hunter ensures they are capturing the entire lifecycle: the creation of the process, every network/file/registry operation it performed, and its interactions with other system services. This comprehensive search strategy is fundamental to Search and Investigation Tools , as it allows for a seamless reconstruction of the adversary's timeline. Missing any of these identifiers would result in "blind spots" in the investigation, potentially hiding the most critical evidence of data exfiltration or lateral movement.

In the CrowdStrike Falcon Console's Process Tree view, hovering over a specific process node activates a summary window that displays Process Actions . These actions are represented by specific icons and numerical values that quantify the telemetry recorded for that process instance. Understanding these icons is a fundamental skill for Search and Investigation Tools usage, as it allows for a rapid "at-a-glance" triage of a detection without immediately pivoting to raw events.

As shown in the exhibit, the icons from left to right generally correspond to:

Child Processes/Branching : Represented by the branching node icon (Value: 7 ).

Network Operations : Represented by the antenna/signal icon (Value: 8 ).

DNS Requests : Represented by the purple bullseye/target icon (Value: 61 ).

Disk Operations : Represented by the document/page icon (Value: 4 ).

Registry Modifications : Represented by the shield icon (Value: 0 ).

Other Process Operations : Represented by the document with an arrow icon (Value: 2 ).

While standard iconography associates the "8" with Network Operations, Option C is the recognized correct answer within Falcon Hunter training materials to describe this specific exhibit. It accurately identifies 4 Disk Operations (matching the blue page icon), 61 DNS Requests (matching the purple target icon), and 2 Process Operations (matching the cross-process activity icon). This summary allows a hunter to immediately see that this powershell.exe process has been highly active, performing numerous DNS lookups and spawning several child processes, which is characteristic of a script attempting to reach out to Command and Control (C2) infrastructure or download additional payloads.

When Falcon Machine Learning (ML) triggers a prevention on a locally compiled file, it is often due to the file's characteristics mimicking known malware attributes (a False Positive). In this scenario, where a developer or system owner is compiling code via VSCode, the activity is likely legitimate. However, as part of a robust Detection Analysis workflow, the analyst should first verify the file’s intent. Detonating the file in a private sandbox (such as Falcon Sandbox) allows the analyst to observe the file’s behavior in a controlled environment without leaking potentially sensitive internal code to public repositories like VirusTotal.

Once the file is confirmed as benign and its activity is determined to be "expected," the correct remediation is to implement a Machine Learning Exclusion . Because the detection was triggered by the ML engine’s assessment of the file itself (the hash), an ML exclusion is the appropriate tool to allow that specific file to exist and execute in the future. An IOA exclusion (Option C) would be incorrect here because the detection was based on the file's static/machine-learning properties, not a specific behavioral pattern (IOA). By following this process, the hunter ensures that business operations continue without interruption while maintaining the integrity of the security stack by only whitelisting confirmed, safe files.

In the discipline of Hunting Methodology , identifying "hidden in plain sight" directories is a primary objective for uncovering persistent threats. The Recycle Bin ($Recycle.Bin) is considered a highly suspicious directory for process execution because legitimate applications are almost never designed to run from this location. Adversaries frequently utilize this path to stage malicious binaries, as it is a directory that is often overlooked by manual administrative review and some legacy security tools (MITRE ATT & CK T1564.001 - Hidden Files and Directories).

The query in Option C correctly addresses the two specific requirements of the prompt. First, it uses the wildcard aid=* to ensure the hunt is performed across all hosts in the enterprise, providing a global view rather than focusing on a single machine (as seen in Option B). Second, it utilizes a regular expression /\$Recycle\.Bin/i to filter for any ProcessRollup2 events where the ImageFileName originates from the Recycle Bin. While directories like "Downloads" or "Desktop" can also be used for staging, they are significantly "noisier" in a production environment as legitimate users frequently run installers from those paths. By targeting the Recycle Bin and using the groupBy function to aggregate the SHA256HashData, a hunter can quickly identify unique, unauthorized binaries that have been moved to a hidden area to evade detection. This proactive approach allows the security team to identify the "Patient Zero" host and any subsequent lateral movement involving the same malicious hash.

To build effective and high-performance queries in Advanced Event Search , a hunter must have access to a definitive map of the telemetry captured by the sensor. The Falcon console docs serve as the primary repository for this information, specifically housing the Events Data Dictionary (also known as the Events Full Reference). This documentation is indispensable because it provides the technical specifications for every event type and field indexed within the platform.

Within the documentation, an analyst can find descriptions for fields like aid (Agent ID), aip (External IP), and the complex relationships between various Process IDs. Understanding these fields is critical for Hunting Analytics , as it prevents common errors, such as using a field that contains strings for a mathematical operation or confusing the ComputerName with the UserSid. Furthermore, the documentation often includes examples of how these fields are used in CrowdStrike Query Language (CQL) , allowing hunters to adapt existing templates to their specific needs. Relying on the official console documentation ensures that the hunter is using the most up-to-date definitions as new event types are added or existing ones are refined by CrowdStrike’s engineering teams, maintaining the accuracy and reliability of their investigations.

In the Falcon platform's Host Investigate dashboard, the "States" timeline provides a granular visual history of administrative and system-level transitions for an endpoint. When a network containment action is initiated, the platform must track the lifecycle of that request from the console to the sensor. According to Falcon documentation, for every containment request made by an analyst, the system generates two specific sub-events that are tracked in the "Pending containment" row.

The first event involves the cloud's process of checking the current host state to verify the baseline connectivity and sensor status. The second event corresponds to the actual change request , which is the command sent to the Falcon sensor to apply the network isolation filters (blocking all traffic except for communication with the CrowdStrike cloud).

As seen in the provided image, there are three distinct "bundles" or attempts of containment activity shown. Because each of these three attempts is comprised of these two mandatory sub-events (the check and the request), the timeline displays a total of six icons . This level of detail allows a hunter to troubleshoot containment issues; for instance, if the check event succeeds but the change request remains pending, it could indicate a communication lag or a tamper-protection mechanism on the endpoint. Once the sensor successfully applies the isolation and sends an acknowledgment back to the cloud, the state transitions from "Pending" to the solid "Containment" line seen lower in the timeline.

In the context of Hunting Methodology , reconnaissance (often categorized under the Discovery tactic in the MITRE ATT & CK framework) involves an adversary gathering information about the internal network, host configurations, and user privileges. The query in Option D is specifically designed to hunt for this behavior by monitoring the execution of "Living off the Land" (LotL) binaries.

These built-in Windows utilities, while legitimate for administrative use, are the primary tools used by attackers to "get the lay of the land." Commands like whoami are used for System Owner/User Discovery (T1033), ipconfig and netstat for System Network Configuration Discovery (T1016), and tasklist for Process Discovery (T1057). By filtering for these specific filenames—net, ipconfig, whoami, quser, ping, netstat, tasklist, hostname, and at—on a specific host (aid), a hunter can identify a burst of discovery activity. While individual executions might be common, a series of these commands run in rapid succession by a non-administrative user is a high-confidence indicator of a compromise. This proactive search allows analysts to catch an adversary in the early stages of an attack, before they have successfully identified their next target for lateral movement or privilege escalation.

To effectively hunt for a malicious file like evil.exe across multiple hosts with "varying filepaths," a hunter must utilize the power of CrowdStrike Query Language (CQL) to aggregate execution telemetry. The inclusion of both ProcessRollup2 and SyntheticProcessRollup2 is vital in this scenario; while ProcessRollup2 captures new executions, SyntheticProcessRollup2 identifies processes that were already active when the Falcon sensor started. This provides critical visibility into files that "existed" and were already operational on the system prior to the detection of a new execution attempt.

The query in Option D is the most effective for a "proactive hunt" because it uses a regular expression—| ImageFileName=/([\/\\])(? < FileName > \w*\.?\w*)$/—to dynamically extract the actual filename into a new field (FileName) from the full path (ImageFileName). This allows the analyst to filter specifically for evil.exe while simultaneously seeing the "varying filepaths" where it resides. By outputting the results into a table containing the aid, hostname, and ImageFileName, the hunter generates a clear list of every unique location and host where the file is present. Unlike a stats count which only provides numerical volume, the table function provides the specific forensic artifacts (the paths) needed to begin remediation or host containment across the entire enterprise. This methodology allows the security team to identify the "blast radius" of the infection and uncover hidden instances of the malware that haven't yet triggered a primary detection.

When conducting an Event Search using the CrowdStrike Query Language (CQL) , precision in naming event types is paramount. The Falcon sensor records the creation and modification of scheduled tasks under the specific event name ScheduledTaskRegistered . This event is highly valuable for hunters investigating Persistence (MITRE T1053), as it captures the specific details of the task, including the command to be executed, the frequency of the trigger, and the identity of the user who created it.

Option B is the correct query because it directly targets the administrative action of task registration and filters the results by the UserName field to isolate actions taken by "Doris." Option A is incorrect as it looks for files with a specific extension, and Option C focuses on the Task Manager GUI process (taskmgr.exe), which is not the process responsible for the actual background registration of tasks (that is typically handled by svchost.exe or schtasks.exe). Option D uses a non-existent event name. By using the ScheduledTaskRegistered event, a hunter can immediately see if an account—potentially a compromised one—is being used to establish a long-term foothold in the environment. This search is a core component of a "Persistence Hunt," where the goal is to find unauthorized automation that allows an attacker's code to survive system reboots and credential rotations.

In the context of Search and Investigation Tools , tracking the use of unauthorized or unencrypted USB storage devices is a critical component of internal threat hunting and data loss prevention (DLP). The Falcon sensor records these hardware interactions using the specific event name RemovableMediaVolumeMounted . This event is triggered whenever the operating system successfully mounts a removable storage volume, such as a USB flash drive or an external hard disk.

Option A is the correct CrowdStrike Query Language (CQL) syntax because it pairs the appropriate event with fields that provide meaningful forensic context. Fields like VolumeDriveLetter identify which logical drive was assigned (e.g., E: or F:), while VolumeFileSystemDevice and VolumeFileSystemDriver offer technical details about the hardware interface and the driver utilized to facilitate the mount.

Conversely, Option B selects fields that are relevant to process execution and network connectivity (like hashes and IP addresses), which are not typically populated in a volume mount event. Option C focuses on ProcessRollup2 , which tracks the starting of executables rather than hardware mounts. Option D utilizes FsVolumeMounted, which is a broader event that includes internal fixed partitions and network drives, making it less precise for hunting specifically for "removable" media. By utilizing the query in Option A, a hunter can build a timeline of when external devices were connected to the environment, allowing them to correlate these mounts with subsequent file writes or "Exfiltration" behaviors.

In the realm of Hunting Analytics , the ability to quantify data is the first step toward identifying outliers—the "needles in the haystack." The stats() function in Advanced Event Search (LogScale) is the most versatile tool for this purpose. While groupBy() is used to organize data into buckets, stats() is required to perform mathematical aggregations such as count(), sum(), avg(), or stdDev().

To identify outliers, a hunter typically wants to see which events occur with the lowest frequency (Least-Frequency Analysis) or which values deviate significantly from the mean. By appending | stats(count(), function=[...]) to a query, the analyst transforms raw event logs into a statistical summary. For example, a hunter might use stats() to count the number of unique external IP connections per process; a process that normally connects to one IP but suddenly c onnects to 500 would stand out as a clear outlier. This quantification is what allows a hunter to move from "searching" to "analyzing." While eval() is used for calculating new fields and sample() is used for performance testing on large datasets, stats() provides the numerical foundation necessary for sophisticated behavioral baselining and the detection of anomalous activity that doesn't trigger standard signature-based alerts.

==========

Within the suite of Search and Investigation Tools , the Indicator graph is a powerful visualization feature designed to uncover the relationships between different malicious artifacts. While a "Process tree view" shows the parent-child execution lineage on a single host, the Indicator graph provides a multi-dimensional, global view of how a specific Indicator of Compromise (IOC)—such as a file hash (MD5/SHA256), a domain, or an IP address—is connected to other entities across the entire environment.

For a hunter, this graphical view is invaluable for identifying the "blast radius" of a threat. If a malicious file is loaded, the Indicator graph can visually map out every host that has seen that hash, any network connections that process made, and any other files dropped by that process. It essentially "connects the dots" by showing a spider-web of activity. This allows for rapid identification of lateral movement or shared infrastructure used by an adversary. Instead of manually correlating lists of hashes and IPs, the hunter can see the entire campaign structure at a glance. This tool is critical during the "Scoping" phase of an incident, as it helps ensure that no part of the attacker's infrastructure is missed during the remediation process, providing a much broader context than a standard flat search.

When dealing with widespread malware, such as a persistent scheduled task, a hunter must be able to aggregate vast amounts of telemetry into a manageable list of impacted assets. Within the CrowdStrike Query Language (CQL) used in LogScale, the groupBy() function is the primary tool for data aggregation and deduplication. While functions like table() simply format the output and stats is often used for mathematical calculations, groupBy() allows the analyst to collapse thousands of individual "ServiceStarted" or "ScheduledTaskRegistered" events into a distinct list based on a specific field, such as aid (Agent ID) or ComputerName.

For this specific scenario, a hunter would query for the specific task name or the command-line arguments associated with the 5-minute execution interval and then pipe those results into | groupBy([aid]). This effectively filters out the noise of repeated executions from the same machine, presenting the hunter with a clear, unique count of every host that has been compromised. This efficiency is vital during the "Scope" phase of an investigation. By utilizing groupBy(), an analyst can quickly determine if the infection is localized to a single department or has spread globally across the enterprise, allowing for a prioritized remediation strategy using Bulk RTR or other containment measures.