CCFH-202b Questions Bank

In the context of Hunting Analytics , identifying the exploitation of CVE-2021-44228 (Log4j) requires looking for specific patterns associated with the Java Naming and Directory Interface (JNDI). The vulnerability allows an attacker to send a specially crafted string—often via an HTTP header or input field—that the Log4j library then parses and executes, leading to a remote JNDI lookup and subsequent code execution.

The event #event_simpleName=ScriptControlDetectInfo is particularly effective for this hunt because it provides visibility into the actual scripts and commands being interpreted and executed by the system. By searching the ScriptContent field for the regex /.*jndi:\w{1,5}:?\}?\/\/.*\}/i, a hunter can identify the tell-tale signature of a Log4j exploit payload, such as ${jndi:ldap://...}. While Option B targets the HttpRequestHeader, this requires specific network-level visibility that might not always be present or indexed in the same way as script execution telemetry. The ScriptControlDetectInfo event captures the payload when it interacts with the underlying system's script engines, providing a more definitive link between the exploit attempt and the resulting malicious activity on the Linux host. Using this granular level of visibility allows hunters to distinguish between a simple probe (network level) and an active exploitation attempt where the malicious string is being processed by the application's runtime environment.

The Falcon platform provides specialized Search and Investigation Tools tailored to different forensic starting points. When the pivot point of an investigation is a specific person or account rather than a file or a machine, the User Search dashboard is the most effective tool. While a Host Search would show everything happening on a specific computer (which might include activity from multiple users or system services), the User Search aggregates all activity associated with a specific Username across the entire environment.

By entering the suspect's username into this dashboard, a hunter can view a comprehensive list of all processes, command-line arguments, and network connections initiated under that user’s credentials, regardless of which endpoint they logged into. This is particularly useful for identifying "Insider Threats" or "Privilege Abuse," where an admin might be using net.exe to modify groups or psexec.exe to move laterally. The User Search provides a chronological view of that user's actions, making it easy to spot unauthorized administrative behavior that deviates from their standard job duties. Once a suspicious command is found in the User Search, the analyst can then pivot to the Process Timeline or Process Context for deeper technical inspection of that specific execution.