Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free CrowdStrike CCFR-201b Practice Exam with Questions & Answers | Set: 6

Questions 51

When an analyst downloads a quarantined file from the Falcon UI for offline analysis, what is the specific file format and the required password for extraction?

Options:
A.

The file is downloaded as a 7-zip archive and requires the password ' infected ' for extraction.

B.

The file is downloaded in its raw binary format without any encryption or compression.

C.

The file is downloaded as a standard ZIP archive but does not require a password to open.

D.

The file is downloaded as an encrypted .exe that can only be opened by a CrowdStrike sensor.

CrowdStrike CCFR-201b Premium Access
Questions 52

During the triage of a detection involving a newly created persistent task, which specific indicator is most important for a responder to identify the actual intent of the service?

Options:
A.

The total CPU usage of the parent process.

B.

The command-line arguments used during the task creation.

C.

The Agent ID (AID) of the host where the detection fired.

D.

The physical location of the endpoint in the office.

Questions 53

When an analyst is trying to pinpoint the exact moment an endpoint came online after being shut down for the weekend, which timeline view is the best to use?

Options:
A.

Process Timeline

B.

Host Timeline

C.

User Timeline

D.

Network Timeline

Questions 54

A responder needs to categorize an incident based on the high-level goals of the attacker. Which of the following lists correctly identifies the " Objectives " as they are natively defined and used within the Falcon platform?

Options:
A.

Explore, Keep Access, Gain Access, Falcon Detection Method, Contact Controlled systems, Follow Through

B.

Reconnaissance, Delivery, Weaponization, Exploitation, Installation, Command and Control

C.

Identify, Protect, Detect, Respond, Recover, Lessons Learned

D.

Triage, Containment, Remediation, Eradication, Reporting, Recovery

Questions 55

To maintain a logical flow during an incident post-mortem, CrowdStrike recommends describing adversary activity using a specific three-part sentence structure. Which combination best completes this sentence: " The adversary was trying to [1], by [2] , using [3] " ?

Options:
A.

< Technique > , < Tactic > , < Objective >

B.

< Objective > , < Tactic > , < Technique >

C.

< Objective > , < Technique > , < Tactic >

D.

< Tactic > , < Objective > , < Technique >

Questions 56

What action is needed to ensure Falcon does not block or generate a detection for a process by using the file hash?

Options:
A.

Create a Custom IOC with an action of allow for the hash

B.

Create a Machine Learning Exclusion with an action of allow for the hash

C.

Create a Custom IOA with an action of allow for the hash

D.

Create an IOA Exclusion with an action of allow for the hash

Questions 57

Falcon uses specific identifiers to track processes across the environment. Which of the following sentences best describes what the ' TargetProcessId_decimal ' raw data represents?

Options:
A.

The standard Process ID (PID) assigned by the Windows operating system.

B.

A sensor-assigned decimal number that is unique for each process across time and hosts.

C.

The memory address where the process’s executable is loaded.

D.

The total number of seconds the process has been running.

Questions 58

After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?

Options:
A.

SHA256 and TargetProcessld_decimal

B.

SHA256 and ParentProcessld_decimal

C.

aid and ParentProcessld_decimal

D.

aid and TargetProcessld_decimal

Questions 59

Refer to the image.

CCFR-201b Question 59

What does the arrowed line indicate?

Options:
A.

PowerShell spawned Notepad.exe, which injected a thread back to Excel.exe

B.

The thread injection was considered a Medium severity injection

C.

PowerShell spawned Notepad.exe, which injected a thread back to PowerShell

D.

Notepad.exe injected itself into Excel.exe