CCFH-202b CrowdStrike Certified Falcon Hunter Questions and Answers

In the context of the MITRE ATT & CK Framework , the creation of a scheduled task is a quintessential technique within the Persistence tactic (specifically T1053). Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their flow. By scheduling a task to execute a remote management application, the attacker ensures that their connection to the compromised host is maintained automatically without requiring manual re-exploitation.

Within the Falcon platform, hunters monitor for this behavior by analyzing events such as ScheduledTaskRegistered or process executions originating from taskeng.exe or schtasks.exe. While scheduled tasks can occasionally be used for Privilege Escalation (if the task runs with SYSTEM privileges) or Execution , the primary goal of creating a permanent task for a management application is to ensure long-term, stable access to the environment. Effective hunting methodology involves pivoting from the detection of a new scheduled task to identifying the source process that created it. This allows the analyst to determine if the task was part of a legitimate administrative action or an unauthorized persistence mechanism designed to facilitate further malicious activity, such as data exfiltration or internal reconnaissance.

==========

When dealing with widespread malware, such as a persistent scheduled task, a hunter must be able to aggregate vast amounts of telemetry into a manageable list of impacted assets. Within the CrowdStrike Query Language (CQL) used in LogScale, the groupBy() function is the primary tool for data aggregation and deduplication. While functions like table() simply format the output and stats is often used for mathematical calculations, groupBy() allows the analyst to collapse thousands of individual "ServiceStarted" or "ScheduledTaskRegistered" events into a distinct list based on a specific field, such as aid (Agent ID) or ComputerName.

For this specific scenario, a hunter would query for the specific task name or the command-line arguments associated with the 5-minute execution interval and then pipe those results into | groupBy([aid]). This effectively filters out the noise of repeated executions from the same machine, presenting the hunter with a clear, unique count of every host that has been compromised. This efficiency is vital during the "Scope" phase of an investigation. By utilizing groupBy(), an analyst can quickly determine if the infection is localized to a single department or has spread globally across the enterprise, allowing for a prioritized remediation strategy using Bulk RTR or other containment measures.

This command is a textbook example of a multi-stage, fileless attack using "Living off the Land" (LotL) techniques. In Detection Analysis , the presence of WmiPrvSE.exe (WMI Provider Host) as the parent process is a significant indicator of Lateral Movement (T1021.006), suggesting the command was triggered remotely via WMI. The command-line arguments use Net.WebClient to perform a "DownloadString" operation, which pulls the Invoke-Shellcode.ps1 script directly from a GitHub repository into memory without ever writing the file to disk.

The IEX (Invoke-Expression) cmdlet then executes that script in memory. The final part of the string, Invoke-Shellcode -Payload windows/meterpreter/reverse_http, specifically instructs the script to deploy a Meterpreter payload—a common component of the Metasploit Framework. This payload is configured to establish a reverse shell back to the attacker-controlled IP address (172.17.0.21) on port 8080. The use of -Windowstyle Hidden and -noprofile ensures the activity is invisible to the end-user and bypasses local profile configurations. For a Falcon Hunter, this represents a critical, high-severity detection. The investigation must focus on how the attacker gained the credentials necessary to trigger WMI and identifying which other hosts in the environment have had similar "DownloadString" events associated with the same internal IP.

This command line is a classic behavioral signature of Impacket , a popular collection of Python classes used by both red teams and real-world adversaries for working with network protocols. Specifically, this pattern is frequently seen with the wmiexec or atexec modules, which provide semi-interactive shells on remote targets. The use of a randomly named batch file (e.g., pJYOrvQB.bat) and the redirection of output to a hidden share or a specific local file (2 > & 1 > ...) followed by the immediate deletion of the script is a hallmark of these tools' efforts to minimize their forensic footprint.

In Detection Analysis , the use of ping -n 1 google.com is a common Reconnaissance technique (T1016 - System Network Configuration Discovery) used by an attacker to verify if a compromised host has unrestricted internet access or if a proxy is in place. Seeing this sequence—where a temporary script is created, executed, and deleted in quick succession—should be treated as a high-severity indicator of remote lateral movement. A hunter's next steps would be to identify the "Source" host that initiated the WMI or SMB connection and analyze the ProcessRollup2 of the parent process to determine if administrative credentials have been compromised across the network.

In the context of Search and Investigation Tools , the BIOS Analysis dashboard is a specialized forensic resource that provides deep visibility into the firmware health of the managed fleet. While "BIOS Firmware Inventory" (Option D) provides a flat list of current versions across the organization, the BIOS Analysis dashboard is uniquely designed to correlate that inventory data with known vulnerabilities and historical change events.

For a hunter, this dashboard is essential for identifying systems at risk of hardware-level persistence or "Bootkit" attacks. It provides a detailed timeline of firmware updates and changes, allowing an investigator to see exactly when a BIOS version was modified—which is critical if an adversary has attempted to flash a malicious or vulnerable firmware image. Furthermore, the dashboard categorizes vulnerabilities by type and severity, mapping them to specific CVEs (Common Vulnerabilities and Exposures). This level of detail allows security teams to prioritize patching for the most critical assets first. By moving beyond simple inventory and into behavioral and vulnerability analysis of the BIOS, the Falcon platform enables hunters to address threats that exist below the operating system level, ensuring a comprehensive security posture that extends from the hardware to the cloud.

In the discipline of Hunting Methodology , identifying "hidden in plain sight" directories is a primary objective for uncovering persistent threats. The Recycle Bin ($Recycle.Bin) is considered a highly suspicious directory for process execution because legitimate applications are almost never designed to run from this location. Adversaries frequently utilize this path to stage malicious binaries, as it is a directory that is often overlooked by manual administrative review and some legacy security tools (MITRE ATT & CK T1564.001 - Hidden Files and Directories).

The query in Option C correctly addresses the two specific requirements of the prompt. First, it uses the wildcard aid=* to ensure the hunt is performed across all hosts in the enterprise, providing a global view rather than focusing on a single machine (as seen in Option B). Second, it utilizes a regular expression /\$Recycle\.Bin/i to filter for any ProcessRollup2 events where the ImageFileName originates from the Recycle Bin. While directories like "Downloads" or "Desktop" can also be used for staging, they are significantly "noisier" in a production environment as legitimate users frequently run installers from those paths. By targeting the Recycle Bin and using the groupBy function to aggregate the SHA256HashData, a hunter can quickly identify unique, unauthorized binaries that have been moved to a hidden area to evade detection. This proactive approach allows the security team to identify the "Patient Zero" host and any subsequent lateral movement involving the same malicious hash.

Understanding the relationship between different Process IDs is a fundamental requirement for mastering Event Search in the Falcon platform. In the telemetry stream, the TargetProcessId is the unique identifier assigned to a process when its creation is recorded in a ProcessRollup2 or SyntheticProcessRollup2 event. It represents the "Identity" of that specific process instance. On the other hand, the ContextProcessId represents the "Actor"—the process that is currently performing an action recorded in a telemetry event.

When a parent process spawns a child process, the Falcon sensor generates a ProcessRollup2 event for the new child. In this specific event record, the TargetProcessId refers to the newly created child. However, because the parent is the one performing the action of "spawning," the ContextProcessId for that specific rollup event will be the ID of the parent. Therefore, the ContextProcessId found in the child's start event will be the same value as the TargetProcessId that was assigned to the parent when it first started. This logic is what allows hunters to programmatically rebuild process trees using CrowdStrike Query Language (CQL) . By joining events where the ContextProcessId of one event matches the TargetProcessId of another, analysts can trace an execution chain from a high-level parent (like explorer.exe) all the way down to the final malicious payload, ensuring full visibility into the attack's lineage.

In the context of Detection Analysis , identifying the "root cause" or the source of an infection requires tracing the process lineage back to the point of entry. In the provided execution chain—Unknown Process - > chrome.exe - > wscript.exe - > powershell.exe—each node represents a stage of the attack. While powershell.exe is the execution engine for the malicious script and wscript.exe is the intermediate handler (likely executing a downloaded .vbs or .js file), chrome.exe represents the ingress point.

By investigating chrome.exe , an analyst can uncover critical forensic artifacts such as the specific URL the user visited, the domain from which the malicious file was downloaded, or a potentially compromised website that initiated a drive-by download. In the Falcon platform, looking at the ParentProcessId and the CommandLine of chrome.exe (or using the Bulk Domain Investigate tool for associated network connections) provides the "Who" and "How" of the initial access. Although the "Unknown Process" sits at the top of the tree—typically representing a process that started before the Falcon sensor—the activity relevant to the script's delivery is contained within the Chrome session. Mastering this "parent-ancestor" relationship is fundamental to effective hunting, as it allows responders to move beyond simple remediation of the script execution and address the underlying delivery mechanism to prevent future re-infection.

==========

In the MITRE ATT & CK Framework , it is essential to distinguish between Tactics and Techniques . "Credential Access" represents the Tactic—the adversary’s ultimate goal or "Why." However, OS Credential Dumping (T1003) is the specific Technique—the "How"—used to achieve that goal. Within the Falcon Console's Detections page, filtering by Technique allows a hunter to isolate specific behaviors, such as the unauthorized extraction of cleartext passwords or hashes from the LSA Secrets or the SAM database.

When a hunter filters for OS Credential Dumping , the Falcon platform surfaces events associated with processes like lsass.exe being accessed by suspicious tools (e.g., Mimikatz) or through unusual methods like procdump.exe. Utilizing this specific technique as a filter is a key part of Hunting Methodology , as it enables the analyst to identify patterns of behavior across multiple hosts that might otherwise look like isolated incidents. While "Gain Access" might be part of the broader narrative, it is too broad for effective filtering. By focusing on the specific technique of credential dumping, a hunter can prioritize high-severity alerts that directly lead to lateral movement or administrative compromise, ensuring that the response effort is focused on the most critical stages of the attack lifecycle.

The Falcon platform provides specialized Search and Investigation Tools tailored to different forensic starting points. When the pivot point of an investigation is a specific person or account rather than a file or a machine, the User Search dashboard is the most effective tool. While a Host Search would show everything happening on a specific computer (which might include activity from multiple users or system services), the User Search aggregates all activity associated with a specific Username across the entire environment.

By entering the suspect's username into this dashboard, a hunter can view a comprehensive list of all processes, command-line arguments, and network connections initiated under that user’s credentials, regardless of which endpoint they logged into. This is particularly useful for identifying "Insider Threats" or "Privilege Abuse," where an admin might be using net.exe to modify groups or psexec.exe to move laterally. The User Search provides a chronological view of that user's actions, making it easy to spot unauthorized administrative behavior that deviates from their standard job duties. Once a suspicious command is found in the User Search, the analyst can then pivot to the Process Timeline or Process Context for deeper technical inspection of that specific execution.

Understanding the "parent-child" relationship of processes is a cornerstone of Detection Analysis . In a standard Windows environment, when a user manually opens a Command Prompt (cmd.exe) via the GUI, the parent process is typically explorer.exe (the Windows Shell). Recognizing this baseline behavior is essential for identifying anomalies. For instance, if cmd.exe is spawned by sqlservr.exe or w3wp.exe (IIS), it is a high-confidence indicator of a web shell or SQL injection attack.

While userinit.exe is responsible for setting up the user environment during logon and might occasionally trigger scripts, it is not the primary interactive parent for cmd.exe. Processes like svchost.exe and winlogon.exe spawning a command shell are highly suspicious and often associated with privilege escalation or system-level exploitation. In the Falcon platform, analysts use the Process Tree view to visually inspect these relationships. A "normal" tree shows a user-initiated command line descending from explorer.exe. Deviations from this norm—such as a hidden command shell running as a child of a non-interactive service—trigger detections because they represent common adversary techniques for execution and lateral movement. By mastering the expected lineage of common binaries, hunters can more effectively filter out legitimate administrative activity from genuine threats.

==========

In the event of a widespread ransomware outbreak, the primary objective of the Hunting Methodology shifts toward identifying "Patient Zero"—the first system compromised in the environment. While reverse engineering (Option D) and vulnerability management (Option C) provide long-term value, they do not offer the immediate forensic clarity needed to stop an active spread or identify the entry point. By utilizing Advanced Event Search to create a chronological timeline of file encryption events (typically identified by high-frequency fswrite operations or specific ransom note creation), a hunter can pinpoint the exact timestamp and host where the activity originated.

This process involves searching for the earliest instances of the ransomware's execution or the first signs of large-scale file modifications across the entire fleet. Once the first system is identified, the analyst can then pivot to look for the activity that occurred prior to the encryption, such as a suspicious email attachment execution, a web-based exploit, or a compromised RDP session. This "backwards-looking" investigation is essential for determining the initial delivery mechanism. Identifying the source host allows the security team to isolate the breach at its root, invalidate compromised credentials used for the initial access, and ensure that remediation efforts are not just treating the symptoms (the encrypted files) but addressing the actual cause of the enterprise-wide infection.

When a hunter encounters a "dual-use" tool like Cloudflared , the investigation must be approached with nuance. Cloudflared (and similar tunneling tools) can be used legitimately by DevOps or IT teams for secure remote access, but they are also frequently used by adversaries for Command and Control (C2) and data exfiltration because they can bypass traditional firewall rules by tunneling traffic over HTTPS.

The first step in Detection Analysis should always be to gather context before taking disruptive actions like network containment or blocking (which could break legitimate business processes). By reviewing the CommandLine arguments in the Falcon Process Timeline , the hunter can see how the tunnel was configured. Are the commands consistent with documented IT procedures? Is the tunnel connecting to a known corporate Cloudflare account, or an anonymous one? Comparing this activity against a baseline of "normal operations" for that specific user or department is essential. If the commands show the tunnel being used to expose a sensitive local port (like RDP or SSH) to the public internet under a non-IT account, the suspicion level increases. This measured approach—investigating the "What" and "Why" before reacting—ensures that the hunter provides accurate triage and avoids unnecessary downtime while still maintaining a high security posture.

In the context of Search and Investigation Tools , tracking the use of unauthorized or unencrypted USB storage devices is a critical component of internal threat hunting and data loss prevention (DLP). The Falcon sensor records these hardware interactions using the specific event name RemovableMediaVolumeMounted . This event is triggered whenever the operating system successfully mounts a removable storage volume, such as a USB flash drive or an external hard disk.

Option A is the correct CrowdStrike Query Language (CQL) syntax because it pairs the appropriate event with fields that provide meaningful forensic context. Fields like VolumeDriveLetter identify which logical drive was assigned (e.g., E: or F:), while VolumeFileSystemDevice and VolumeFileSystemDriver offer technical details about the hardware interface and the driver utilized to facilitate the mount.

Conversely, Option B selects fields that are relevant to process execution and network connectivity (like hashes and IP addresses), which are not typically populated in a volume mount event. Option C focuses on ProcessRollup2 , which tracks the starting of executables rather than hardware mounts. Option D utilizes FsVolumeMounted, which is a broader event that includes internal fixed partitions and network drives, making it less precise for hunting specifically for "removable" media. By utilizing the query in Option A, a hunter can build a timeline of when external devices were connected to the environment, allowing them to correlate these mounts with subsequent file writes or "Exfiltration" behaviors.

When Falcon Machine Learning (ML) triggers a prevention on a locally compiled file, it is often due to the file's characteristics mimicking known malware attributes (a False Positive). In this scenario, where a developer or system owner is compiling code via VSCode, the activity is likely legitimate. However, as part of a robust Detection Analysis workflow, the analyst should first verify the file’s intent. Detonating the file in a private sandbox (such as Falcon Sandbox) allows the analyst to observe the file’s behavior in a controlled environment without leaking potentially sensitive internal code to public repositories like VirusTotal.

Once the file is confirmed as benign and its activity is determined to be "expected," the correct remediation is to implement a Machine Learning Exclusion . Because the detection was triggered by the ML engine’s assessment of the file itself (the hash), an ML exclusion is the appropriate tool to allow that specific file to exist and execute in the future. An IOA exclusion (Option C) would be incorrect here because the detection was based on the file's static/machine-learning properties, not a specific behavioral pattern (IOA). By following this process, the hunter ensures that business operations continue without interruption while maintaining the integrity of the security stack by only whitelisting confirmed, safe files.