CCFH-202b CrowdStrike Certified Falcon Hunter Questions and Answers

This command is a textbook example of a multi-stage, fileless attack using "Living off the Land" (LotL) techniques. In Detection Analysis , the presence of WmiPrvSE.exe (WMI Provider Host) as the parent process is a significant indicator of Lateral Movement (T1021.006), suggesting the command was triggered remotely via WMI. The command-line arguments use Net.WebClient to perform a "DownloadString" operation, which pulls the Invoke-Shellcode.ps1 script directly from a GitHub repository into memory without ever writing the file to disk.

The IEX (Invoke-Expression) cmdlet then executes that script in memory. The final part of the string, Invoke-Shellcode -Payload windows/meterpreter/reverse_http, specifically instructs the script to deploy a Meterpreter payload—a common component of the Metasploit Framework. This payload is configured to establish a reverse shell back to the attacker-controlled IP address (172.17.0.21) on port 8080. The use of -Windowstyle Hidden and -noprofile ensures the activity is invisible to the end-user and bypasses local profile configurations. For a Falcon Hunter, this represents a critical, high-severity detection. The investigation must focus on how the attacker gained the credentials necessary to trigger WMI and identifying which other hosts in the environment have had similar "DownloadString" events associated with the same internal IP.

The command net user < username > < password > /add /domain is a direct method used by adversaries to perform the Create Account technique (T1136) within the MITRE ATT & CK Matrix. Specifically, this command attempts to create a new domain account, which allows the attacker to establish a foothold that appears legitimate and can be used for subsequent authentication across the network. Unlike Account Manipulation , which involves modifying existing accounts (such as changing a password or adding a user to a group), Create Account focuses on the generation of entirely new credentials to maintain access and bypass certain security triggers.

From a Detection Analysis perspective in Falcon, this activity is highly visible within the ProcessRollup2 events. Analysts look for the net.exe or net1.exe binaries being called with the /add and /domain flags in the CommandLine field. This behavior is a common post-exploitation step following initial access. If an adversary successfully creates a domain account, they can then transition to using Valid Accounts (T1078) for lateral movement, making their actions much harder to distinguish from normal administrative traffic. Hunting for this technique requires a baseline understanding of authorized account creation procedures within the organization; any deviation, such as the use of "hacker" as a username or execution from a non-domain controller host, should be treated as a high-severity incident.

When a hunter encounters a "dual-use" tool like Cloudflared , the investigation must be approached with nuance. Cloudflared (and similar tunneling tools) can be used legitimately by DevOps or IT teams for secure remote access, but they are also frequently used by adversaries for Command and Control (C2) and data exfiltration because they can bypass traditional firewall rules by tunneling traffic over HTTPS.

The first step in Detection Analysis should always be to gather context before taking disruptive actions like network containment or blocking (which could break legitimate business processes). By reviewing the CommandLine arguments in the Falcon Process Timeline , the hunter can see how the tunnel was configured. Are the commands consistent with documented IT procedures? Is the tunnel connecting to a known corporate Cloudflare account, or an anonymous one? Comparing this activity against a baseline of "normal operations" for that specific user or department is essential. If the commands show the tunnel being used to expose a sensitive local port (like RDP or SSH) to the public internet under a non-IT account, the suspicion level increases. This measured approach—investigating the "What" and "Why" before reacting—ensures that the hunter provides accurate triage and avoids unnecessary downtime while still maintaining a high security posture.

In the MITRE ATT & CK Framework , it is essential to distinguish between Tactics and Techniques . "Credential Access" represents the Tactic—the adversary’s ultimate goal or "Why." However, OS Credential Dumping (T1003) is the specific Technique—the "How"—used to achieve that goal. Within the Falcon Console's Detections page, filtering by Technique allows a hunter to isolate specific behaviors, such as the unauthorized extraction of cleartext passwords or hashes from the LSA Secrets or the SAM database.

When a hunter filters for OS Credential Dumping , the Falcon platform surfaces events associated with processes like lsass.exe being accessed by suspicious tools (e.g., Mimikatz) or through unusual methods like procdump.exe. Utilizing this specific technique as a filter is a key part of Hunting Methodology , as it enables the analyst to identify patterns of behavior across multiple hosts that might otherwise look like isolated incidents. While "Gain Access" might be part of the broader narrative, it is too broad for effective filtering. By focusing on the specific technique of credential dumping, a hunter can prioritize high-severity alerts that directly lead to lateral movement or administrative compromise, ensuring that the response effort is focused on the most critical stages of the attack lifecycle.

In proactive threat hunting, Least-Frequency Analysis (LFA) is a powerful technique used to identify anomalies by looking for rare events that deviate from the organizational baseline. Windows services typically execute from standardized, protected directories such as C:\Windows\System32\. When a service is observed starting from a non-standard location—such as a user's Temp folder or a suspicious application directory—it often indicates persistence or a "Living off the Land" attack.

The correct query utilizes the != (not equal) operator within the CrowdStrike Query Language (CQL) to filter out legitimate, common paths. By excluding the System32 and servicing directories, the hunter narrows the dataset to focus exclusively on services running from irregular paths. The groupBy function is then used to aggregate these occurrences by ServiceDisplayName, collecting the specific ImageFileName and counting the frequency of each. Finally, sorting by count in ascending order (order=asc) ensures that the "least-used" or rarest services appear at the top of the results. This methodology allows a hunter to bypass the "noise" of thousands of standard system services and pinpoint unique, potentially malicious binaries that have registered themselves as services to maintain a long-term foothold on the endpoint.

==========

In the context of Search and Investigation Tools , the BIOS Analysis dashboard is a specialized forensic resource that provides deep visibility into the firmware health of the managed fleet. While "BIOS Firmware Inventory" (Option D) provides a flat list of current versions across the organization, the BIOS Analysis dashboard is uniquely designed to correlate that inventory data with known vulnerabilities and historical change events.

For a hunter, this dashboard is essential for identifying systems at risk of hardware-level persistence or "Bootkit" attacks. It provides a detailed timeline of firmware updates and changes, allowing an investigator to see exactly when a BIOS version was modified—which is critical if an adversary has attempted to flash a malicious or vulnerable firmware image. Furthermore, the dashboard categorizes vulnerabilities by type and severity, mapping them to specific CVEs (Common Vulnerabilities and Exposures). This level of detail allows security teams to prioritize patching for the most critical assets first. By moving beyond simple inventory and into behavioral and vulnerability analysis of the BIOS, the Falcon platform enables hunters to address threats that exist below the operating system level, ensuring a comprehensive security posture that extends from the hardware to the cloud.

In the discipline of Hunting Methodology , identifying "hidden in plain sight" directories is a primary objective for uncovering persistent threats. The Recycle Bin ($Recycle.Bin) is considered a highly suspicious directory for process execution because legitimate applications are almost never designed to run from this location. Adversaries frequently utilize this path to stage malicious binaries, as it is a directory that is often overlooked by manual administrative review and some legacy security tools (MITRE ATT & CK T1564.001 - Hidden Files and Directories).

The query in Option C correctly addresses the two specific requirements of the prompt. First, it uses the wildcard aid=* to ensure the hunt is performed across all hosts in the enterprise, providing a global view rather than focusing on a single machine (as seen in Option B). Second, it utilizes a regular expression /\$Recycle\.Bin/i to filter for any ProcessRollup2 events where the ImageFileName originates from the Recycle Bin. While directories like "Downloads" or "Desktop" can also be used for staging, they are significantly "noisier" in a production environment as legitimate users frequently run installers from those paths. By targeting the Recycle Bin and using the groupBy function to aggregate the SHA256HashData, a hunter can quickly identify unique, unauthorized binaries that have been moved to a hidden area to evade detection. This proactive approach allows the security team to identify the "Patient Zero" host and any subsequent lateral movement involving the same malicious hash.

In the context of Hunting Analytics , outlier analysis—often referred to as Least Frequency Analysis (LFA) or "Long-Tail Analysis"—is a methodology used to identify anomalous behavior by isolating events that occur rarely within a large dataset. Attackers often use unique command-line arguments or rare scripts that stand out when compared to the repetitive, high-volume "noise" generated by standard administrative activities or automated system processes.

In the provided CrowdStrike Query Language (CQL) query, Line 6 (| test(executionCount < 10)) is the specific line used to perform this outlier analysis. While Line 5 performs the aggregation and counting of events across the environment, it is Line 6 that applies a logic threshold to filter out common events. By instructing the engine to only return results where the executionCount is less than 10, the hunter is intentionally discarding all "normal" high-frequency activity and focusing exclusively on rare executions. This is a critical step in a PowerShell hunt, as most legitimate enterprise scripts will run hundreds or thousands of times, whereas a malicious manual execution or a new, untested exploit script will typically have a very low execution count. Line 7 further assists by sorting these outliers in ascending order, but the actual analytical "test" that defines the outlier occurs in Line 6. Utilizing such thresholds allows hunters to efficiently sift through millions of events to find the "needles in the haystack" that represent potential security breaches.

The Falcon platform provides a variety of visual Reports and References designed to help security teams identify geographic anomalies that may indicate unauthorized access or compromised credentials. The Global connection heat map is a specialized dashboard that aggregates network telemetry and visualizes it based on the geographic origin of the connections associated with Falcon-managed hosts.

This report is a vital component of a hunter's toolkit for "Geofencing" or identifying "Impossible Travel" scenarios. By providing a high-level visual representation of where in the world host connections are originating, it allows analysts to quickly spot outliers—such as a connection from a country where the organization has no employees, offices, or known business interests. While the "Geo location activity" (Option A) might sound similar, the "Global connection heat map" is the specific built-in name for the dashboard that provides the density-based visualization required to distinguish between a single anomalous connection and a widespread, automated attack originating from a specific region. Once an anomaly is identified on the heat map, a hunter can pivot directly into the associated events to see which aid (Agent ID) is involved and what specific processes or users are initiating those suspicious international connections.

In the CrowdStrike Falcon platform, the TreeId serves as the primary unique identifier used to correlate all events associated with a specific process execution and its lifecycle. When an analyst is performing an investigation via Event Search using CQL , the TreeId acts as the "glue" that binds disparate telemetry data points together. While a ComputerName identifies the physical or virtual host and event_simpleName describes the action (such as a file creation or network connection), neither provides the execution context required to isolate a specific malicious incident.

The TreeId is specifically designed to group all activity related to a process tree, including the actions of the process itself and its subsequent child processes. By filtering a query using a specific TreeId identified in a detection, a hunter can instantly view every related event—such as DNS requests, registry modifications, and module loads—regardless of how many other unrelated processes are running on the same endpoint. While ParentProcessId can be used to manually trace lineage, it is not as efficient or definitive as the TreeId for automated correlation across the entire dataset. Utilizing the TreeId ensures that the investigation remains focused on the relevant execution path, allowing for a comprehensive reconstruction of the adversary's behavior from the moment of execution until the process terminates.

In the context of Detection Analysis , identifying the "root cause" or the source of an infection requires tracing the process lineage back to the point of entry. In the provided execution chain—Unknown Process - > chrome.exe - > wscript.exe - > powershell.exe—each node represents a stage of the attack. While powershell.exe is the execution engine for the malicious script and wscript.exe is the intermediate handler (likely executing a downloaded .vbs or .js file), chrome.exe represents the ingress point.

By investigating chrome.exe , an analyst can uncover critical forensic artifacts such as the specific URL the user visited, the domain from which the malicious file was downloaded, or a potentially compromised website that initiated a drive-by download. In the Falcon platform, looking at the ParentProcessId and the CommandLine of chrome.exe (or using the Bulk Domain Investigate tool for associated network connections) provides the "Who" and "How" of the initial access. Although the "Unknown Process" sits at the top of the tree—typically representing a process that started before the Falcon sensor—the activity relevant to the script's delivery is contained within the Chrome session. Mastering this "parent-ancestor" relationship is fundamental to effective hunting, as it allows responders to move beyond simple remediation of the script execution and address the underlying delivery mechanism to prevent future re-infection.

==========

When performing advanced hunting, telemetry from individual events (like a ProcessRollup2) often lacks organizational context, such as the host's Operating System version or its location within the Active Directory Organizational Unit (OU) . In the Falcon platform, this metadata is stored in lookup files like aid_master_main.csv. To enrich real-time event data with this contextual information, the lookup() function is the standard and most efficient method within the CrowdStrike Query Language (CQL) .

The lookup function works by mapping a common field—in this case, the Agent ID (aid) —between the event stream and the static CSV file. By specifying include=[Version, OU], the query instructs the engine to append the specific OS version and OU path to every matching process execution event. This allows a hunter to filter for "older Windows operating systems" (e.g., Windows 7 or Server 2008) or focus specifically on OUs containing "Domain Admins" or "Critical Servers." This methodology is a core component of Search and Investigation Tools , as it transforms raw technical data into actionable intelligence. Without the lookup function, an analyst would have only the technical process details without knowing the strategic importance or the underlying vulnerability (OS version) of the target host, significantly hindering the ability to prioritize the investigation.

==========

To perform a complete and effective investigation into a specific process's behavior within the Falcon platform, an analyst must understand how the system correlates disparate telemetry events. The two primary keys for this correlation are TargetProcessId and ContextProcessId . These IDs act as the "Common Threads" that allow Search and Investigation Tools to reconstruct the full lifecycle of an execution.

When a process is first created, it generates a ProcessRollup2 event (or a SyntheticProcessRollup2 if it was already running). In this specific event, the process's unique identifier is recorded in the TargetProcessId field. However, all subsequent actions performed by that process—such as network connections (NetworkConnectIP4), file modifications (fswrite), or DNS lookups—do not use the TargetProcessId. Instead, they include a field called ContextProcessId , which "points" back to the original process ID. By selecting and filtering for both of these fields in a query, a hunter can successfully "join" the metadata of the process (its name, command line, and user) with the actual activities it performed. Selecting only one of these would result in an incomplete picture: you would see the process start but not what it did, or see various actions without knowing exactly which process was responsible for them. Mastering the relationship between Target and Context IDs is fundamental for pivoting through the process timeline.

In Event Search , correlating the full scope of a process's activity requires an understanding of the "Process ID Trinity." When the process reallysus.exe is executed, its primary identity is captured in a ProcessRollup2 event under the TargetProcessId . However, searching only for the TargetProcessId would merely return the process start record. To see the actions the process performed—such as connecting to a malicious IP or writing a persistence key—the hunter must also search for the ContextProcessId .

The ContextProcessId is used in all telemetry events generated by that process. Furthermore, for cross-process activity initiated via Remote Procedure Calls, the RpcClientProcessId may be involved. By using the OR operator to combine TargetProcessId, ContextProcessId, and RpcClientProcessId in a single query, the hunter ensures they are capturing the entire lifecycle: the creation of the process, every network/file/registry operation it performed, and its interactions with other system services. This comprehensive search strategy is fundamental to Search and Investigation Tools , as it allows for a seamless reconstruction of the adversary's timeline. Missing any of these identifiers would result in "blind spots" in the investigation, potentially hiding the most critical evidence of data exfiltration or lateral movement.

In the CrowdStrike Falcon ecosystem, the Events Full Reference , commonly referred to as the Events Data Dictionary , is the foundational documentation for any analyst performing raw telemetry analysis. This document serves as the definitive encyclopedia for every event type (such as ProcessRollup2, NetworkConnectIP4, or DnsRequest) and every individual field (such as aid, TargetProcessId, or CommandLine) captured by the Falcon sensor.

When a hunter is crafting complex queries in Event Search , the Data Dictionary provides the necessary context to understand exactly what a specific field represents and the data types it contains. For example, if an analyst is unsure whether a timestamp is in milliseconds or seconds, or needs to know the difference between a ParentProcessId and a ContextProcessId, the Events Full Reference is the primary source of truth. Utilizing this document is a core part of the Hunting Methodology , as it allows the hunter to move beyond the high-level GUI and build precise, technical queries based on a deep understanding of the underlying data structure. Without referencing this data dictionary, an analyst might misinterpret field values, leading to "false negatives" in their search results. It is the essential roadmap for navigating the massive amounts of telemetry stored within the Falcon platform.