CCFH-202b CrowdStrike Certified Falcon Hunter Questions and Answers

When performing advanced hunting, telemetry from individual events (like a ProcessRollup2) often lacks organizational context, such as the host's Operating System version or its location within the Active Directory Organizational Unit (OU) . In the Falcon platform, this metadata is stored in lookup files like aid_master_main.csv. To enrich real-time event data with this contextual information, the lookup() function is the standard and most efficient method within the CrowdStrike Query Language (CQL) .

The lookup function works by mapping a common field—in this case, the Agent ID (aid) —between the event stream and the static CSV file. By specifying include=[Version, OU], the query instructs the engine to append the specific OS version and OU path to every matching process execution event. This allows a hunter to filter for "older Windows operating systems" (e.g., Windows 7 or Server 2008) or focus specifically on OUs containing "Domain Admins" or "Critical Servers." This methodology is a core component of Search and Investigation Tools , as it transforms raw technical data into actionable intelligence. Without the lookup function, an analyst would have only the technical process details without knowing the strategic importance or the underlying vulnerability (OS version) of the target host, significantly hindering the ability to prioritize the investigation.

==========

In Detection Analysis , the process w3wp.exe is a critical focal point as it is the IIS (Internet Information Services) Worker Process. Under normal operating conditions, w3wp.exe should be handling web requests and should almost never spawn interactive shells like powershell.exe or cmd.exe. When a process tree shows a web worker process spawning a shell, it is a high-confidence Indicator of Attack (IOA) typically associated with a Web Shell or a successful exploitation of a web application vulnerability.

The subsequent commands—whoami.exe and net1.exe—are classic post-exploitation Reconnaissance tools. whoami is used by an attacker to determine the privileges of the service account they have compromised, while net1 is used to enumerate local or domain users and groups to identify potential targets for lateral movement. The progression from a web process to a shell and then to identity/network discovery is a definitive behavioral pattern of a remote attacker establishing a foothold and performing initial situational awareness. While an administrator might use these tools for troubleshooting (Option B), they would typically do so via a direct login or a remote management session, not through the w3wp.exe parent tree. Recognizing this specific lineage is essential for hunters to differentiate between legitimate administrative maintenance and an active, live-site compromise requiring immediate intervention and containment.

Within the suite of Search and Investigation Tools , the Indicator graph is a powerful visualization feature designed to uncover the relationships between different malicious artifacts. While a "Process tree view" shows the parent-child execution lineage on a single host, the Indicator graph provides a multi-dimensional, global view of how a specific Indicator of Compromise (IOC)—such as a file hash (MD5/SHA256), a domain, or an IP address—is connected to other entities across the entire environment.

For a hunter, this graphical view is invaluable for identifying the "blast radius" of a threat. If a malicious file is loaded, the Indicator graph can visually map out every host that has seen that hash, any network connections that process made, and any other files dropped by that process. It essentially "connects the dots" by showing a spider-web of activity. This allows for rapid identification of lateral movement or shared infrastructure used by an adversary. Instead of manually correlating lists of hashes and IPs, the hunter can see the entire campaign structure at a glance. This tool is critical during the "Scoping" phase of an incident, as it helps ensure that no part of the attacker's infrastructure is missed during the remediation process, providing a much broader context than a standard flat search.

In Event Search , correlating the full scope of a process's activity requires an understanding of the "Process ID Trinity." When the process reallysus.exe is executed, its primary identity is captured in a ProcessRollup2 event under the TargetProcessId . However, searching only for the TargetProcessId would merely return the process start record. To see the actions the process performed—such as connecting to a malicious IP or writing a persistence key—the hunter must also search for the ContextProcessId .

The ContextProcessId is used in all telemetry events generated by that process. Furthermore, for cross-process activity initiated via Remote Procedure Calls, the RpcClientProcessId may be involved. By using the OR operator to combine TargetProcessId, ContextProcessId, and RpcClientProcessId in a single query, the hunter ensures they are capturing the entire lifecycle: the creation of the process, every network/file/registry operation it performed, and its interactions with other system services. This comprehensive search strategy is fundamental to Search and Investigation Tools , as it allows for a seamless reconstruction of the adversary's timeline. Missing any of these identifiers would result in "blind spots" in the investigation, potentially hiding the most critical evidence of data exfiltration or lateral movement.

In Falcon's telemetry, the ContextProcessId is a "pointer" used by secondary events (like network connections, file writes, or registry changes) to identify the specific process that performed the action. To find the identity, metadata, and lineage of that process, a hunter must pivot back to the process creation events: ProcessRollup2 or SyntheticProcessRollup2 .

In these "Rollup" events, the unique identifier for the process being described is stored in the TargetProcessId field. Therefore, to correlate the network activity (where the ID is the context) with the process itself, you must search for that ID in the TargetProcessId field of the rollup events. Option A is incorrect because ParentProcessId would show you the children of the process, not the process itself. Option B is incorrect because ContextProcessId is generally used in action-based events (telemetry) rather than the definition-based rollup events.

By executing the query in Option D, the hunter retrieves the full process details—including the FileName, CommandLine, UserSid, and MD5/SHA256 hashes—for the exact process instance that generated the network connections. This is a fundamental step in Search and Investigation Tools usage, allowing the analyst to verify if a legitimate process (like a web browser) or a malicious one (like a dropped executable) is the source of the network traffic.

The ContextProcessld_readable field in a DNS Request event points to the responsible process. The ContextProcessld_readable field is the readable representation of the process identifier for the process that initiated the DNS request. It can be used to identify which process was communicating with a specific domain or IP address. The TargetProcessld_decimal, ContextProcessld_decimal, and ParentProcessId_decimal fields do not point to the responsible process.

In the realm of Hunting Analytics , the ability to quantify data is the first step toward identifying outliers—the "needles in the haystack." The stats() function in Advanced Event Search (LogScale) is the most versatile tool for this purpose. While groupBy() is used to organize data into buckets, stats() is required to perform mathematical aggregations such as count(), sum(), avg(), or stdDev().

To identify outliers, a hunter typically wants to see which events occur with the lowest frequency (Least-Frequency Analysis) or which values deviate significantly from the mean. By appending | stats(count(), function=[...]) to a query, the analyst transforms raw event logs into a statistical summary. For example, a hunter might use stats() to count the number of unique external IP connections per process; a process that normally connects to one IP but suddenly c onnects to 500 would stand out as a clear outlier. This quantification is what allows a hunter to move from "searching" to "analyzing." While eval() is used for calculating new fields and sample() is used for performance testing on large datasets, stats() provides the numerical foundation necessary for sophisticated behavioral baselining and the detection of anomalous activity that doesn't trigger standard signature-based alerts.

==========

Comprehensive and Detailed 150 to 250 words of Explanation From Falcon Hunter Topics documents:

The best answer is B because it reflects the normal Falcon Investigate workflow: first review the domain’s reputation and associated network connection history to determine whether the observed activity is suspicious or malicious before taking containment actions. CrowdStrike’s official Falcon Hunter training material states that analysts should know how to perform a Bulk Domain search and understand the information it provides as part of proactive investigations , which supports using the dashboard to validate and analyze the domain activity before escalating to blocking or broader scoping actions.

Option A is not the strongest immediate next step because placing a firewall block before validating the domain’s reputation and reviewing the observed history can interrupt legitimate activity and move too quickly into response before investigation is complete. Option C can be a useful follow-up step after initial triage, especially if the domain appears suspicious and you want to understand broader host exposure, but it is secondary to first examining the reputation and connection history already surfaced through the Bulk Domain Investigate workflow. Based on CrowdStrike’s investigative approach, B is the most defensible and methodical answer because it uses the available domain-focused telemetry first and supports evidence-based decision-making.

When dealing with widespread malware, such as a persistent scheduled task, a hunter must be able to aggregate vast amounts of telemetry into a manageable list of impacted assets. Within the CrowdStrike Query Language (CQL) used in LogScale, the groupBy() function is the primary tool for data aggregation and deduplication. While functions like table() simply format the output and stats is often used for mathematical calculations, groupBy() allows the analyst to collapse thousands of individual "ServiceStarted" or "ScheduledTaskRegistered" events into a distinct list based on a specific field, such as aid (Agent ID) or ComputerName.

For this specific scenario, a hunter would query for the specific task name or the command-line arguments associated with the 5-minute execution interval and then pipe those results into | groupBy([aid]). This effectively filters out the noise of repeated executions from the same machine, presenting the hunter with a clear, unique count of every host that has been compromised. This efficiency is vital during the "Scope" phase of an investigation. By utilizing groupBy(), an analyst can quickly determine if the infection is localized to a single department or has spread globally across the enterprise, allowing for a prioritized remediation strategy using Bulk RTR or other containment measures.

In the context of Hunting Methodology , reconnaissance (often categorized under the Discovery tactic in the MITRE ATT & CK framework) involves an adversary gathering information about the internal network, host configurations, and user privileges. The query in Option D is specifically designed to hunt for this behavior by monitoring the execution of "Living off the Land" (LotL) binaries.

These built-in Windows utilities, while legitimate for administrative use, are the primary tools used by attackers to "get the lay of the land." Commands like whoami are used for System Owner/User Discovery (T1033), ipconfig and netstat for System Network Configuration Discovery (T1016), and tasklist for Process Discovery (T1057). By filtering for these specific filenames—net, ipconfig, whoami, quser, ping, netstat, tasklist, hostname, and at—on a specific host (aid), a hunter can identify a burst of discovery activity. While individual executions might be common, a series of these commands run in rapid succession by a non-administrative user is a high-confidence indicator of a compromise. This proactive search allows analysts to catch an adversary in the early stages of an attack, before they have successfully identified their next target for lateral movement or privilege escalation.

To achieve a specific output format like "2021/11/26 06:54:45," a hunter must master the syntax of the formatTime() function in CQL . The first argument of the function is the format string, which uses standard strftime descriptors. In this case, %Y/%m/%d represents the four-digit year, month, and day separated by forward slashes, while %H:%M:%S represents the 24-hour clock time.

The timezone=Z (or "UTC") parameter ensures the time is rendered in Zulu time (Universal Coordinated Time), which is the standard for cloud-native security platforms like Falcon to maintain consistency across global environments. Options A and C are incorrect because they use %A (weekday) and %B (month name), which would result in a format like "Friday 26 November...". Option B is incorrect because it incorrectly uses locale as a substitute for timezone. In Event Search , precision in time formatting is paramount for generating high-quality Reports and References . By correctly configuring the format string and the timezone, analysts can export data that is immediately ready for stakeholder review or for ingestion into other SIEM/SOAR platforms without requiring further string manipulation. This level of granular control over telemetry visualization is a hallmark of the Falcon Hunter's skillset.

Creating effective Reports and References within the Falcon console requires selecting the appropriate visualization for the data being presented. When the goal is to highlight a single, high-level metric—such as the "Total Number of Detections"—the Gauge Widget is the standard choice. While its name implies a speedometer-style visual, in the Falcon and LogScale dashboarding environments, the Gauge widget is specifically designed to render a single numerical value (often called a "Single Value" or "Big Number" visualization).

Other widgets serve different analytical purposes: a Time Chart is best for viewing trends over the seven-day period (showing peaks and valleys), a Scatter Chart is used for identifying outliers in multidimensional data, and a Heat Map is ideal for visualizing the frequency of events across two variables (like time of day versus host group). For an executive-level dashboard or a Security Operations Center (SOC) "Summary of Health," the Gauge widget provides immediate clarity. It takes the output of a count function (e.g., | count()) and presents it as a bold, central digit, allowing stakeholders to understand the current threat volume at a single glance without needing to interpret complex axes or color gradients.

The CrowdStrike Query Language (CQL) allows hunters to perform granular filtering of telemetry to isolate specific behaviors. In this query, the initial statement targets #event_simpleName=UserLogon, which records every time a user authenticates to a host. The filter RemoteAddressIP4=* ensures the query only looks at logons that involve a network component (remote logons), as local console logons typically do not have a remote IP associated with them.

The core logic of the query is the !cidr function. By listing the standard private and non-routable IP ranges (10/8, 172.16/12, 192.168/16, etc.) and applying the logical NOT operator (!), the query effectively strips away all "noise" from the internal network. What remains are logons originating from external IP addresses . The final pipe to ipLocation is used to add geographic context to these external sources. This type of search is fundamental to Hunting Methodology when looking for evidence of credential theft or external actors moving into the environment. While a similar search could be performed for NetworkConnectIP4 events, focusing on UserLogon specifically identifies successful (or attempted) authentication, which is a much higher-value indicator of a potential breach than simple network traffic. Understanding how to exclude internal subnets is a mandatory skill for any Falcon Hunter to avoid being overwhelmed by legitimate internal administrative traffic.

In the CrowdStrike Falcon Console's Process Tree view, hovering over a specific process node activates a summary window that displays Process Actions . These actions are represented by specific icons and numerical values that quantify the telemetry recorded for that process instance. Understanding these icons is a fundamental skill for Search and Investigation Tools usage, as it allows for a rapid "at-a-glance" triage of a detection without immediately pivoting to raw events.

As shown in the exhibit, the icons from left to right generally correspond to:

Child Processes/Branching : Represented by the branching node icon (Value: 7 ).

Network Operations : Represented by the antenna/signal icon (Value: 8 ).

DNS Requests : Represented by the purple bullseye/target icon (Value: 61 ).

Disk Operations : Represented by the document/page icon (Value: 4 ).

Registry Modifications : Represented by the shield icon (Value: 0 ).

Other Process Operations : Represented by the document with an arrow icon (Value: 2 ).

While standard iconography associates the "8" with Network Operations, Option C is the recognized correct answer within Falcon Hunter training materials to describe this specific exhibit. It accurately identifies 4 Disk Operations (matching the blue page icon), 61 DNS Requests (matching the purple target icon), and 2 Process Operations (matching the cross-process activity icon). This summary allows a hunter to immediately see that this powershell.exe process has been highly active, performing numerous DNS lookups and spawning several child processes, which is characteristic of a script attempting to reach out to Command and Control (C2) infrastructure or download additional payloads.

The Falcon platform includes several pre-configured, "built-in" hunting reports designed to surface common adversary techniques without requiring the analyst to write complex queries from scratch. The report Executables running from Recycle Bin is a specialized tool within the Reports and References section that specifically monitors for process execution events where the file path originates from the $Recycle.Bin directory.

From a Hunting Methodology perspective, the Recycle Bin is a frequent "hidden in plain sight" staging area for attackers. Adversaries may move malicious binaries there because it is a directory that standard users and some legacy security tools rarely inspect. Finding a process like explorer.exe or svchost.exe (or a randomly named .exe) launching from this path is a high-confidence indicator of malicious intent, often associated with persistence or manual execution by an intruder. While "Command Line and ASEP Activity" reports on Auto-Start Extension Points, and "Indicator Activity" tracks known bad hashes, the "Executables running from Recycle Bin" report focuses on the anomalous behavioral context of the file location. Utilizing these built-in reports allows a hunter to quickly identify "low-hanging fruit" and prioritize investigations on hosts where these specific, highly suspicious environmental anomalies are detected.

==========