CCFH-202b VCE Exam Download

When conducting an Event Search using the CrowdStrike Query Language (CQL) , precision in naming event types is paramount. The Falcon sensor records the creation and modification of scheduled tasks under the specific event name ScheduledTaskRegistered . This event is highly valuable for hunters investigating Persistence (MITRE T1053), as it captures the specific details of the task, including the command to be executed, the frequency of the trigger, and the identity of the user who created it.

Option B is the correct query because it directly targets the administrative action of task registration and filters the results by the UserName field to isolate actions taken by "Doris." Option A is incorrect as it looks for files with a specific extension, and Option C focuses on the Task Manager GUI process (taskmgr.exe), which is not the process responsible for the actual background registration of tasks (that is typically handled by svchost.exe or schtasks.exe). Option D uses a non-existent event name. By using the ScheduledTaskRegistered event, a hunter can immediately see if an account—potentially a compromised one—is being used to establish a long-term foothold in the environment. This search is a core component of a "Persistence Hunt," where the goal is to find unauthorized automation that allows an attacker's code to survive system reboots and credential rotations.

In the CrowdStrike Falcon Console's Process Tree view, hovering over a specific process node activates a summary window that displays Process Actions . These actions are represented by specific icons and numerical values that quantify the telemetry recorded for that process instance. Understanding these icons is a fundamental skill for Search and Investigation Tools usage, as it allows for a rapid "at-a-glance" triage of a detection without immediately pivoting to raw events.

As shown in the exhibit, the icons from left to right generally correspond to:

Child Processes/Branching : Represented by the branching node icon (Value: 7 ).

Network Operations : Represented by the antenna/signal icon (Value: 8 ).

DNS Requests : Represented by the purple bullseye/target icon (Value: 61 ).

Disk Operations : Represented by the document/page icon (Value: 4 ).

Registry Modifications : Represented by the shield icon (Value: 0 ).

Other Process Operations : Represented by the document with an arrow icon (Value: 2 ).

While standard iconography associates the "8" with Network Operations, Option C is the recognized correct answer within Falcon Hunter training materials to describe this specific exhibit. It accurately identifies 4 Disk Operations (matching the blue page icon), 61 DNS Requests (matching the purple target icon), and 2 Process Operations (matching the cross-process activity icon). This summary allows a hunter to immediately see that this powershell.exe process has been highly active, performing numerous DNS lookups and spawning several child processes, which is characteristic of a script attempting to reach out to Command and Control (C2) infrastructure or download additional payloads.

In the context of the MITRE ATT & CK Framework , the creation of a scheduled task is a quintessential technique within the Persistence tactic (specifically T1053). Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their flow. By scheduling a task to execute a remote management application, the attacker ensures that their connection to the compromised host is maintained automatically without requiring manual re-exploitation.

Within the Falcon platform, hunters monitor for this behavior by analyzing events such as ScheduledTaskRegistered or process executions originating from taskeng.exe or schtasks.exe. While scheduled tasks can occasionally be used for Privilege Escalation (if the task runs with SYSTEM privileges) or Execution , the primary goal of creating a permanent task for a management application is to ensure long-term, stable access to the environment. Effective hunting methodology involves pivoting from the detection of a new scheduled task to identifying the source process that created it. This allows the analyst to determine if the task was part of a legitimate administrative action or an unauthorized persistence mechanism designed to facilitate further malicious activity, such as data exfiltration or internal reconnaissance.

==========

In the CrowdStrike Query Language (CQL) , data transformation is a key step in creating readable and actionable reports. The rename() function is used to change the field names in the output of a query, which is especially useful when normalizing data for external stakeholders or preparing a dataset for a World Map or Table widget. The standard and required syntax for this operation in the LogScale/Falcon environment is | rename(originalFieldName, as=newFieldName).

Using the as= parameter is explicit and ensures that the query engine correctly maps the telemetry from the sensor (such as RemoteAddressIP4) to the desired descriptive name (like SourceIP). This is a common practice in Event Search when combining data from different sources where field names might not align—for example, joining Falcon host data with firewall logs. Option A is syntactically incorrect because it uses an equals sign without the "as" parameter. Options C and D use operators ( > > or :=) that are not recognized by the CQL rename function. Mastering these syntax nuances is essential for any hunter who wants to create professional, clean Reports and References that can be easily understood by other security analysts or integrated into broader organizational dashboards.