CCFH-202b Sample Questions Answers

In Event Search , correlating the full scope of a process's activity requires an understanding of the "Process ID Trinity." When the process reallysus.exe is executed, its primary identity is captured in a ProcessRollup2 event under the TargetProcessId . However, searching only for the TargetProcessId would merely return the process start record. To see the actions the process performed—such as connecting to a malicious IP or writing a persistence key—the hunter must also search for the ContextProcessId .

The ContextProcessId is used in all telemetry events generated by that process. Furthermore, for cross-process activity initiated via Remote Procedure Calls, the RpcClientProcessId may be involved. By using the OR operator to combine TargetProcessId, ContextProcessId, and RpcClientProcessId in a single query, the hunter ensures they are capturing the entire lifecycle: the creation of the process, every network/file/registry operation it performed, and its interactions with other system services. This comprehensive search strategy is fundamental to Search and Investigation Tools , as it allows for a seamless reconstruction of the adversary's timeline. Missing any of these identifiers would result in "blind spots" in the investigation, potentially hiding the most critical evidence of data exfiltration or lateral movement.

In Detection Analysis , the process w3wp.exe is a critical focal point as it is the IIS (Internet Information Services) Worker Process. Under normal operating conditions, w3wp.exe should be handling web requests and should almost never spawn interactive shells like powershell.exe or cmd.exe. When a process tree shows a web worker process spawning a shell, it is a high-confidence Indicator of Attack (IOA) typically associated with a Web Shell or a successful exploitation of a web application vulnerability.

The subsequent commands—whoami.exe and net1.exe—are classic post-exploitation Reconnaissance tools. whoami is used by an attacker to determine the privileges of the service account they have compromised, while net1 is used to enumerate local or domain users and groups to identify potential targets for lateral movement. The progression from a web process to a shell and then to identity/network discovery is a definitive behavioral pattern of a remote attacker establishing a foothold and performing initial situational awareness. While an administrator might use these tools for troubleshooting (Option B), they would typically do so via a direct login or a remote management session, not through the w3wp.exe parent tree. Recognizing this specific lineage is essential for hunters to differentiate between legitimate administrative maintenance and an active, live-site compromise requiring immediate intervention and containment.

Understanding the "parent-child" relationship of processes is a cornerstone of Detection Analysis . In a standard Windows environment, when a user manually opens a Command Prompt (cmd.exe) via the GUI, the parent process is typically explorer.exe (the Windows Shell). Recognizing this baseline behavior is essential for identifying anomalies. For instance, if cmd.exe is spawned by sqlservr.exe or w3wp.exe (IIS), it is a high-confidence indicator of a web shell or SQL injection attack.

While userinit.exe is responsible for setting up the user environment during logon and might occasionally trigger scripts, it is not the primary interactive parent for cmd.exe. Processes like svchost.exe and winlogon.exe spawning a command shell are highly suspicious and often associated with privilege escalation or system-level exploitation. In the Falcon platform, analysts use the Process Tree view to visually inspect these relationships. A "normal" tree shows a user-initiated command line descending from explorer.exe. Deviations from this norm—such as a hidden command shell running as a child of a non-interactive service—trigger detections because they represent common adversary techniques for execution and lateral movement. By mastering the expected lineage of common binaries, hunters can more effectively filter out legitimate administrative activity from genuine threats.

==========

The Bulk domains (often listed as Bulk Domain Investigate ) dashboard is a specialized tool within the Falcon platform designed for broad infrastructure pivoting. While a standard search might show you a single event, the Bulk Domain Investigate tool allows an analyst to enter one or more domain names to receive a comprehensive, global overview of all activity associated with those domains across the entire managed environment.

When an analyst inputs a suspicious domain into this dashboard, Falcon retrieves a list of every host that has attempted to resolve that domain and, crucially, the specific processes responsible for those DNS lookups or network connections. This provides the hunter with immediate visibility into the "Who" and the "How." For example, it might reveal that while the domain was initially seen on one host, it was actually looked up by powershell.exe on three other hosts that had not yet triggered an alert. This capability is essential for Hunting Methodology , as it allows for the rapid identification of a shared command-and-control (C2) infrastructure. By identifying all processes interacting with the domain, the hunter can determine if the threat is an isolated incident or part of a wider campaign, enabling them to transition quickly from identification to large-scale containment and remediation.

In the context of Search and Investigation Tools , the BIOS Analysis dashboard is a specialized forensic resource that provides deep visibility into the firmware health of the managed fleet. While "BIOS Firmware Inventory" (Option D) provides a flat list of current versions across the organization, the BIOS Analysis dashboard is uniquely designed to correlate that inventory data with known vulnerabilities and historical change events.

For a hunter, this dashboard is essential for identifying systems at risk of hardware-level persistence or "Bootkit" attacks. It provides a detailed timeline of firmware updates and changes, allowing an investigator to see exactly when a BIOS version was modified—which is critical if an adversary has attempted to flash a malicious or vulnerable firmware image. Furthermore, the dashboard categorizes vulnerabilities by type and severity, mapping them to specific CVEs (Common Vulnerabilities and Exposures). This level of detail allows security teams to prioritize patching for the most critical assets first. By moving beyond simple inventory and into behavioral and vulnerability analysis of the BIOS, the Falcon platform enables hunters to address threats that exist below the operating system level, ensuring a comprehensive security posture that extends from the hardware to the cloud.

The command net user < username > < password > /add /domain is a direct method used by adversaries to perform the Create Account technique (T1136) within the MITRE ATT & CK Matrix. Specifically, this command attempts to create a new domain account, which allows the attacker to establish a foothold that appears legitimate and can be used for subsequent authentication across the network. Unlike Account Manipulation , which involves modifying existing accounts (such as changing a password or adding a user to a group), Create Account focuses on the generation of entirely new credentials to maintain access and bypass certain security triggers.

From a Detection Analysis perspective in Falcon, this activity is highly visible within the ProcessRollup2 events. Analysts look for the net.exe or net1.exe binaries being called with the /add and /domain flags in the CommandLine field. This behavior is a common post-exploitation step following initial access. If an adversary successfully creates a domain account, they can then transition to using Valid Accounts (T1078) for lateral movement, making their actions much harder to distinguish from normal administrative traffic. Hunting for this technique requires a baseline understanding of authorized account creation procedures within the organization; any deviation, such as the use of "hacker" as a username or execution from a non-domain controller host, should be treated as a high-severity incident.

Efficiency is a critical skill in Event Search , especially when dealing with the high-velocity telemetry generated by thousands of endpoints. When a query returns millions of events, it not only becomes difficult for a human to analyze but also consumes significant computational resources, leading to longer wait times. The most effective way to optimize performance and increase the signal-to-noise ratio is by Filtering the results to remove irrelevant events .

In the CrowdStrike Query Language (CQL) , filtering should be performed as early as possible in the query pipeline (the "left-most" part of the query). By using specific inclusion filters (e.g., FileName="cmd.exe") or exclusion filters (e.g., FilePath!=/\\Windows\\System32\\.*/i), the hunter instructs the engine to discard millions of non-matching records before they are even processed by more resource-intensive functions like groupBy() or join(). While aggregating data (Option A) can help summarize a large dataset, it does not necessarily decrease the initial "ingest" or "scan" time of the query if the engine still has to look at every record. Strategic filtering allows the hunter to focus exclusively on the "interesting" metadata, such as files running from temp directories or signed by unusual certificates, ensuring that the hunt remains fast, responsive, and relevant to the threat model.

This command line is a classic behavioral signature of Impacket , a popular collection of Python classes used by both red teams and real-world adversaries for working with network protocols. Specifically, this pattern is frequently seen with the wmiexec or atexec modules, which provide semi-interactive shells on remote targets. The use of a randomly named batch file (e.g., pJYOrvQB.bat) and the redirection of output to a hidden share or a specific local file (2 > & 1 > ...) followed by the immediate deletion of the script is a hallmark of these tools' efforts to minimize their forensic footprint.

In Detection Analysis , the use of ping -n 1 google.com is a common Reconnaissance technique (T1016 - System Network Configuration Discovery) used by an attacker to verify if a compromised host has unrestricted internet access or if a proxy is in place. Seeing this sequence—where a temporary script is created, executed, and deleted in quick succession—should be treated as a high-severity indicator of remote lateral movement. A hunter's next steps would be to identify the "Source" host that initiated the WMI or SMB connection and analyze the ProcessRollup2 of the parent process to determine if administrative credentials have been compromised across the network.

The Falcon platform provides specialized Search and Investigation Tools tailored to different forensic starting points. When the pivot point of an investigation is a specific person or account rather than a file or a machine, the User Search dashboard is the most effective tool. While a Host Search would show everything happening on a specific computer (which might include activity from multiple users or system services), the User Search aggregates all activity associated with a specific Username across the entire environment.

By entering the suspect's username into this dashboard, a hunter can view a comprehensive list of all processes, command-line arguments, and network connections initiated under that user’s credentials, regardless of which endpoint they logged into. This is particularly useful for identifying "Insider Threats" or "Privilege Abuse," where an admin might be using net.exe to modify groups or psexec.exe to move laterally. The User Search provides a chronological view of that user's actions, making it easy to spot unauthorized administrative behavior that deviates from their standard job duties. Once a suspicious command is found in the User Search, the analyst can then pivot to the Process Timeline or Process Context for deeper technical inspection of that specific execution.

The Falcon platform includes several pre-configured, "built-in" hunting reports designed to surface common adversary techniques without requiring the analyst to write complex queries from scratch. The report Executables running from Recycle Bin is a specialized tool within the Reports and References section that specifically monitors for process execution events where the file path originates from the $Recycle.Bin directory.

From a Hunting Methodology perspective, the Recycle Bin is a frequent "hidden in plain sight" staging area for attackers. Adversaries may move malicious binaries there because it is a directory that standard users and some legacy security tools rarely inspect. Finding a process like explorer.exe or svchost.exe (or a randomly named .exe) launching from this path is a high-confidence indicator of malicious intent, often associated with persistence or manual execution by an intruder. While "Command Line and ASEP Activity" reports on Auto-Start Extension Points, and "Indicator Activity" tracks known bad hashes, the "Executables running from Recycle Bin" report focuses on the anomalous behavioral context of the file location. Utilizing these built-in reports allows a hunter to quickly identify "low-hanging fruit" and prioritize investigations on hosts where these specific, highly suspicious environmental anomalies are detected.

==========

In the context of Hunting Analytics , identifying the exploitation of CVE-2021-44228 (Log4j) requires looking for specific patterns associated with the Java Naming and Directory Interface (JNDI). The vulnerability allows an attacker to send a specially crafted string—often via an HTTP header or input field—that the Log4j library then parses and executes, leading to a remote JNDI lookup and subsequent code execution.

The event #event_simpleName=ScriptControlDetectInfo is particularly effective for this hunt because it provides visibility into the actual scripts and commands being interpreted and executed by the system. By searching the ScriptContent field for the regex /.*jndi:\w{1,5}:?\}?\/\/.*\}/i, a hunter can identify the tell-tale signature of a Log4j exploit payload, such as ${jndi:ldap://...}. While Option B targets the HttpRequestHeader, this requires specific network-level visibility that might not always be present or indexed in the same way as script execution telemetry. The ScriptControlDetectInfo event captures the payload when it interacts with the underlying system's script engines, providing a more definitive link between the exploit attempt and the resulting malicious activity on the Linux host. Using this granular level of visibility allows hunters to distinguish between a simple probe (network level) and an active exploitation attempt where the malicious string is being processed by the application's runtime environment.

In the realm of Hunting Analytics , the ability to quantify data is the first step toward identifying outliers—the "needles in the haystack." The stats() function in Advanced Event Search (LogScale) is the most versatile tool for this purpose. While groupBy() is used to organize data into buckets, stats() is required to perform mathematical aggregations such as count(), sum(), avg(), or stdDev().

To identify outliers, a hunter typically wants to see which events occur with the lowest frequency (Least-Frequency Analysis) or which values deviate significantly from the mean. By appending | stats(count(), function=[...]) to a query, the analyst transforms raw event logs into a statistical summary. For example, a hunter might use stats() to count the number of unique external IP connections per process; a process that normally connects to one IP but suddenly c onnects to 500 would stand out as a clear outlier. This quantification is what allows a hunter to move from "searching" to "analyzing." While eval() is used for calculating new fields and sample() is used for performance testing on large datasets, stats() provides the numerical foundation necessary for sophisticated behavioral baselining and the detection of anomalous activity that doesn't trigger standard signature-based alerts.

==========

The Falcon platform includes a dedicated category of built-in dashboards and visualizations known as Hunt reports . These reports are specifically engineered to surface high-confidence behavioral anomalies that do not necessarily trigger a standard malware detection but are statistically or contextually suspicious. They serve as a "proactive starting point" for analysts within the Reports and References section of the console.

Examples of Hunt reports include dashboards that identify executables running from the Recycle Bin, unusual parent-child process relationships (like cmd.exe spawned from sqlservr.exe), or suspicious usage of dual-use tools like psexec.exe or wmic.exe. Unlike standard "Detection Activity" reports, which show what the sensor has already caught, Hunt reports are designed to help the analyst find the "undiscovered" threats. Utilizing these reports is a core part of an advanced Hunting Methodology , allowing a team to move from reactive response to proactive threat discovery. By regularly reviewing these reports, a hunter can identify low-frequency, high-impact events that might represent an advanced adversary's initial reconnaissance or persistence efforts that have managed to stay below the threshold of an automated alert.

Within the suite of Search and Investigation Tools , the Indicator graph is a powerful visualization feature designed to uncover the relationships between different malicious artifacts. While a "Process tree view" shows the parent-child execution lineage on a single host, the Indicator graph provides a multi-dimensional, global view of how a specific Indicator of Compromise (IOC)—such as a file hash (MD5/SHA256), a domain, or an IP address—is connected to other entities across the entire environment.

For a hunter, this graphical view is invaluable for identifying the "blast radius" of a threat. If a malicious file is loaded, the Indicator graph can visually map out every host that has seen that hash, any network connections that process made, and any other files dropped by that process. It essentially "connects the dots" by showing a spider-web of activity. This allows for rapid identification of lateral movement or shared infrastructure used by an adversary. Instead of manually correlating lists of hashes and IPs, the hunter can see the entire campaign structure at a glance. This tool is critical during the "Scoping" phase of an incident, as it helps ensure that no part of the attacker's infrastructure is missed during the remediation process, providing a much broader context than a standard flat search.