CrowdStrike Exam CCFR-201 Topic 3 Question 20 Discussion

Actual exam question for CrowdStrike's CCFR-201 exam

Question #: 20
Topic #: 3

You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

AIdentifies a detailed list of all process executions for the specified hashes

BIdentifies hosts that loaded or executed the specified hashes

CIdentifies users associated with the specified hashes

DIdentifies detections related to the specified hashes

Show Suggested Answer

Suggested Answer: B

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed2.The file is also encrypted and renamed with a random string of characters2.On Windows hosts, quarantined files are stored in C:WindowsSystem32DriversCrowdStrikeQuarantine folder2.

by Filiberto at Aug 03, 2024, 03:26 PM

Limited Time Offer

25%

Off

Get Premium CCFR-201 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Tina

1 days ago

I think option B is the correct answer. The hash execution search should be able to identify the hosts that have executed the specified hashes.

upvoted 0 times

...

Ronald

4 days ago

I'm not sure, but I think it could also be D) Identifies detections related to the specified hashes. That way we can see if any threats were detected.

upvoted 0 times

...

Lashawn

4 days ago

I agree with Katie. It makes sense that the search would show the hosts where the hashes were executed.

upvoted 0 times

...

Katie

9 days ago

I think the answer is B) Identifies hosts that loaded or executed the specified hashes.

upvoted 0 times

...