CrowdStrike Updated CCFH-202b Exam Questions and Answers by indi

The Host search (often accessed via the Host Investigate dashboard) is the primary "Host-Centric" investigation tool in the Falcon console. When an analyst enters a hostname or Agent ID (AID) into this tool, Falcon retrieves a consolidated view of that specific system's activity. One of the most critical sections of this dashboard is the Recent Logons list.

This view provides a chronological history of every user account—both local and domain—that has successfully authenticated to the host. For a hunter, this is an essential part of the Hunting Methodology for identifying "Credential Overlap" or unauthorized access. If an unusual administrative account or a service account that has no business being on that server is listed, it can indicate lateral movement (T1021). While User Search (Option C) allows you to see all the machines a specific user has touched, only Host search provides the "reverse" view: every user that has touched a specific machine . This allows the analyst to establish a baseline of "normal" users for a server (e.g., specific DBA accounts for a SQL server) and quickly spot anomalies that warrant a deeper dive into the UserLogon events in the Event Search.

When dealing with widespread malware, such as a persistent scheduled task, a hunter must be able to aggregate vast amounts of telemetry into a manageable list of impacted assets. Within the CrowdStrike Query Language (CQL) used in LogScale, the groupBy() function is the primary tool for data aggregation and deduplication. While functions like table() simply format the output and stats is often used for mathematical calculations, groupBy() allows the analyst to collapse thousands of individual "ServiceStarted" or "ScheduledTaskRegistered" events into a distinct list based on a specific field, such as aid (Agent ID) or ComputerName.

For this specific scenario, a hunter would query for the specific task name or the command-line arguments associated with the 5-minute execution interval and then pipe those results into | groupBy([aid]). This effectively filters out the noise of repeated executions from the same machine, presenting the hunter with a clear, unique count of every host that has been compromised. This efficiency is vital during the "Scope" phase of an investigation. By utilizing groupBy(), an analyst can quickly determine if the infection is localized to a single department or has spread globally across the enterprise, allowing for a prioritized remediation strategy using Bulk RTR or other containment measures.

In the CrowdStrike Query Language (CQL) used within the LogScale-powered Advanced Event Search, the groupBy() function is the essential tool for data aggregation and summarization. As observed in the first image, Line 2 of the query (partially obscured) utilizes the function= parameter to define multiple aggregate calculations, such as count(aid, distinct=true) and count(aid). This syntax is the hallmark of a groupBy statement.

The results shown in the subsequent images display a table where each row is unique to a specific SHA256HashData . This indicates that the data has been grouped by that specific field to provide a summary of its activity across the environment. The groupBy function allows a hunter to take millions of individual process events and collapse them into a readable format that highlights uniqueEndpoints and totalExecutions per file hash.

This methodology is fundamental to Hunting Analytics , specifically for performing Least Frequency Analysis . By grouping by the hash and counting the unique endpoints, an analyst can quickly identify binaries that are running on only one or two systems—a common characteristic of targeted malware or custom hacking tools. While functions like table (Option C) are used to format the final display and eval (Option A) is used for field transformations, only groupBy provides the structural aggregation required to generate the multi-column statistical overview seen in the results.

When conducting an Event Search using the CrowdStrike Query Language (CQL) , precision in naming event types is paramount. The Falcon sensor records the creation and modification of scheduled tasks under the specific event name ScheduledTaskRegistered . This event is highly valuable for hunters investigating Persistence (MITRE T1053), as it captures the specific details of the task, including the command to be executed, the frequency of the trigger, and the identity of the user who created it.

Option B is the correct query because it directly targets the administrative action of task registration and filters the results by the UserName field to isolate actions taken by "Doris." Option A is incorrect as it looks for files with a specific extension, and Option C focuses on the Task Manager GUI process (taskmgr.exe), which is not the process responsible for the actual background registration of tasks (that is typically handled by svchost.exe or schtasks.exe). Option D uses a non-existent event name. By using the ScheduledTaskRegistered event, a hunter can immediately see if an account—potentially a compromised one—is being used to establish a long-term foothold in the environment. This search is a core component of a "Persistence Hunt," where the goal is to find unauthorized automation that allows an attacker's code to survive system reboots and credential rotations.