Falcon Flashcards
What causes an incident?
Detections, associated processes and the connections between them
What generates a Detection?
suspicious files and behaviors
IOC and IOA
Where do you find the crowdscore?
Activity Dashboard
What is the crowdscore?
Likelihood that hostile activity is going on against your org
Examples of the types of information that might be shown in the summary panel
- General; information about the detection and host involved
- The commands, executables and files involved, including an explanation of the commands behaviour and effects, powered by charlotte AI
- The tactics, techniques and objectives that were used
- the associated hashes
- which prevention actions if any were taken
- which files were quarantined
- Network-based indicators and DNS requests
- Vulnerabilities that are present on an associated host. View the host’s risk posture at a high level alongside detection-specific info. Pivot to view more detailed vulnerability info from Falcon Spotlight.
- Misconfigurations that are present on a specific cloud-based host. Pivot to view more detailed vulnerability info from Cloud Security Posture Management.
What is shown in the “see full detections” view?
- Details: More detailed information about the detection. This view also includes a status log for the detection.
- Process table: A table view of the processes associated with the detection, with the first associated process shown at the top of the table. Refine the view by showing and hiding layers. You can show and hide the legend and summary panel.
- Process tree: A graph view of the processes associated with the detection. Each node in the process tree represents a process. Hover over or click a node to see additional details. Refine the view by showing and hiding layers. You can show and hide the legend and summary panel.
- Events timeline: A list of all relevant events in chronological order. Refine the view by showing and hiding layers. You can show and hide the legend and summary panel.
What is AID?
Agent ID (AID): Every sensor in your environment is uniquely identified by its Agent ID, or AID. If you have 5,000 sensors, you will have 5,000 unique AlDs.
AlDs are globally unique across all customer environments.
what is CID?
Customer ID (CID): Used to identify customer environments. Every environment has a unique CID.
What is a pattern ID?
Pattern ID: Every detection is associated with a pattern, and each pattern has a unique ID.
What is RFM?
Reduced functionality mode
Explain what RFM does?
RFM is a safe mode for the sensor that prevents compatibility issues if the host kernel is uncertified. Most common during windows updates
What is OSFM?
OS Feature monitor
Monitors changes in in the windows kernel so the sensor can adapt accordingly
How can I tell if my system is in RFM?
Host management page
or
Dashboards > Executive summary
Click on the RFM widget
or
From investigate
SensorStateBitmap_decimal is 2 =RFM
SensorStateBitmap_decimal is 0 = Not RFM
How to use run scripts RTR?
Running scripts from the Run Commands tab
On the Run Commands tab, you have two options to populate the command field to run a Falcon script or a custom script:
* Expand the session details panel from the right to see available Falcon scripts and custom scripts under the Scripts tab. Click the name of any script or select Insert script from the three-dot menu to populate the command field. You can search and sort the scripts lists and select View details to see the script content and provide Falcon script arguments.
* For custom scripts, run the runscript command with one of the following flags:
* CloudFile: Enter the name of an existing custom script already saved in the CrowdStrike cloud directly into the command line
* Raw: Enter the script content directly into the command line. (RTR Administrator only). Enclose the entire script contents in triple backticks.
* HostPath: Enter the file path of an existing custom script stored locally on the remote host (RTR Administrator only)
* For Falcon scripts, Run the falconscript command with the following flags:
* Name: Enter the name of the Falcon script. For example, “Fileinfo”.
* Jsoninput: Enter the JSON input for the Falcon script. Enclose it in single quotes and triple backticks. For example: * * ““Path”“C:||myfile.txt** . .
Real Time Response commands and platforms
cat
cd
clear
cp
csrutil
cswindiag
encrypt
env
eventlog
falconscript
filehash
get
getsid
help
history
ifconfig
ipconfig
kill
ls
map
memdump
mkdir
mount
mv
netstat
ps
put
put-and-run
reg query
reg set
reg delete
reg load
reg unload
restart
rm
run
runscript
shutdown
tar
umount
unmap
update
users
xmemdump
zip
What is cswindiag?
Command gathers log files and information about the state of a windows host and packages them into zip file that you can send to support
Who can change the containment status of a host?
A user must have the Falcon Administrator role or Falcon Security Lead role to contain a host or remove it from containment. However, all users can see which hosts are contained as well as host-specific containment history using the Hosts App.
What kind of hosts can be contained?
You can contain any host running the Falcon sensor, regardless of whether the host generated a detect or not.
How does containment affect a host’s
connectivity to the CrowdStrike cloud?
When a host is under containment, it can still send and receive information to the CrowdStrike cloud. Using the cloud, you can remediate and remove a host from active containment. A host under containment remains contained even if the connection to the cloud is severed or if the host is rebooted.
Note: If an Android or iOS host is automatically contained due to a man-in-the-middle attack, the sensor is unable to connect to the CrowdStrike cloud due to the ongoing attack. Sensors reconnect to the cloud as soon as a trustworthy network connection can be established.
How does
containment work at the sensor level?
Upon receiving the Network Containment request, the Falcon sensor blocks all incoming and outgoing network connections to and from the host other than the sensor’s connection to the cloud. All existing connections will be terminated, except those that you have allowed using network traffic allowlisting If the Falcon sensor receives a request to remove a host from containment, the sensor lifts all network restrictions that it previously enforced. Hosts can only be contained and removed from containment one at a time. After containing a host or removing a host from containment, the host’s status will change to Pending containment or Lift Containment Pending. Note that if you want access to a host after it’s contained, CrowdStrike advises that you work with your internal IT/networking team in a test environment to ensure that you allowed everything necessary before using the machine in production.
Note: If an Android or iOS host is automatically contained due to a man-in-the-middle attack, the sensor doesn’t allow these connections.
How does
containment work at the sensor level?
Upon receiving the Network Containment request, the Falcon sensor blocks all incoming and outgoing network connections to and from the host other than the sensor’s connection to the cloud. All existing connections will be terminated, except those that you have allowed using network traffic allowlisting If the Falcon sensor receives a request to remove a host from containment, the sensor lifts all network restrictions that it previously enforced. Hosts can only be contained and removed from containment one at a time. After containing a host or removing a host from containment, the host’s status will change to Pending containment or Lift Containment Pending. Note that if you want access to a host after it’s contained, CrowdStrike advises that you work with your internal IT/networking team in a test environment to ensure that you allowed everything necessary before using the machine in production.
Note: If an Android or iOS host is automatically contained due to a man-in-the-middle attack, the sensor doesn’t allow these connections.
Host containment, what if I’m using a proxy?
The Falcon sensor caches information about what proxy it can connect to. As long as nothing in your network environment or proxy configuration changes, a host that is behind a proxy can be contained and removed from containment. However, if for some reason the network environment or proxy endpoint changes while a host is contained, there is a risk that the host will not be able to discover a new proxy and communicate with the cloud, and will therefore be unable to be removed from containment.
I contained a host but it still has network connectivity. What do I do?
First, check if the status of the hoft is Containment pending. This status means that the request is still pending. If the status persists, reissue the containment request and wait several minutes. If the status persists after reissuing the request, visit the
I contained a host but it still has network connectivity. What do I do?
First, check if the status of the hoft is Containment pending. This status means that the request is still pending. If the status persists, reissue the containment request and wait several minutes. If the status persists after reissuing the request, visit the
I removed a host from containment but it is still
contained. What do I do?
First, check if the status of the host is Lift Containment Pending. This status means that the request is still pending. If the status persists, reissue the lift containment request and wait several minutes. If the status persists after reissuing the request, visit the
Which Tactic and Technique combination is sourced from MITRE AT T&CK?
a. Credential Access via OS Credential Dumping
b. Machine Learning via Cloud-Based ML
c. Falcon Intel via Intelligence Indicator - Domain
d. Malware via PUP
a. Credential Access via OS Credential Dumping
- What is true about a managed neighbor in the Investigate Hosts view?
a. It is currently network contained.
b. It has an installed and provisioned sensor.
c. It has an active prevention policy.
d. It is on a segmented network.
b. It has an installed and provisioned sensor.
- What is the expected outcome when you configure and apply an Indicator of Attack (IA) exclusion for a detection?
a. A detection will be generated and the process will be allowed to run.
b. Detections will stop sending data from the process specified in the exclusion.
c. Detections will be suppressed and the associated process will be allowed to run.
d. Detections will be suppressed but the associated process will be blocked.
c. Detections will be suppressed and the associated process will be allowed to run.
- What is true regarding a file released from quarantine?
a. It is deleted
b. It will not generate future machine learning detections on the associated host.
c. It is allowed to execute on all hosts.
d. No executions are allowed for 14 days after release.
b. It will not generate future machine learning detections on the associated host.
- Within the Activity Dashboard under Endpoint Security, what information is NOT available?
a. Total count of new detections
b. CrowdScore over
c. time graph
d. Most recent detections
e. Zero Trust Assessment Score
e. Zero Trust Assessment Score
- You are reviewing detections on the Endpoint security > Endpoint detections page. What indicates activity is being performed with system level permissions?
a. Tactic via technique of “System Access”
b. User name of “S-1-5-18”
c. User name ending in “$”
d. Severity of “Critical - System”
c. User name ending in “$”
- You receive a Machine Learning detection for a binary called “X48SD8F7XXXODSIO.exe”. The hash has an External prevalence of “Common” and an internal prevalence “Unique”.
Based on this information, what would be the logical next step to find more information about the binary?
b. Pivot to the Hosts Timeline dashboard and review the hash.
c. Draw a process explorer from the detection and review the associated network connections.
d. Contact CrowdStrike Support Team and ask for more information about the hash.
e. Pivot to an open-source intelligence review of the hash.
e. Pivot to an open-source intelligence review of the hash.
- Within a detection, which contextual event data would you expand and analyze to see command line actions?
a. Registry operations
b. Disk operations
c. Process operations
d. Network operations
c. Process operations
- What would be the logical response to this action? You receive a critical severity detection for WMI.exe executing the following command line and determine it to be a true positive:
*‘C:|Windows)System32|Wbem\WMIC.exe” /node:100.10.0.00 /user:ACME\MartyMcFly / password:Password123! process call create “cmd /c copy |17|GLOBALROOT|Device \HarddiskVolumeShadowCopy1\Windows|NTDS|NTDS.dit C:|temp|ntds.dit 2>&1”
a. Utilize Real Time Response (RTR) to remove the malicious WMIC.exe binary.
b. Contact the owner of the device to confirm the activity was valid.
c. Contact CrowdStrike Support and request a detection explanation.
d. Immediately network contain the device within Falcon.
d. Immediately network contain the device within Falcon.
- What does pivoting to a Host Search from a detection do?
a. Allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection.
b. Takes you to a Process Timeline for that detection so you can see all related events.
c. Gives you the ability to search for similar events on other endpoints quickly.
d. Takes you to the Investigate Hosts page and sets the time and hostname around the detection.
d. Takes you to the Investigate Hosts page and sets the time and hostname around the detection.
- Refer to the image to answer the following:
After running an Advanced event search query for ProcessRollup2 events, you can select many event interactions from the Open menu: option depending on your results.
Which option will return a graphical process tree?
a. Show MD5 Locations.
b. View Process Explorer for the responsible process.
c. Show +/- 10-minute window of events.
d. Show Associated Event Data (from TargetProcessd).
b. View Process Explorer for the responsible process.
- Which event is generated with a detection and causes the sensor to send additional information about the process tree for analysis/hunting purposes?
a. EndofProcess
b. AssociateTreeldWithRoot
c. ProcessRollup2
d. DnsRequest
b. AssociateTreeldWithRoot
- When reviewing a process, which Investigate dashboard displays information that includes what host the process ran on, information about the process, and a graphical chart of all events associated with the process?
a. Detection Activity
b. Indicator Activity
c. Process Timeline
d. Host Timeline
c. Process Timeline
- Refer to the image to answer the following:
When viewing events in Advanced Event Search, which event list interaction from the Open menu; allows you to view a visual representation of a target processes’ relationship by drawing a process tree?
a. Show +/- 10-minute window of events.
b. View Process Explorer for the responsible processes.
c. Show Associated Event Data (from TargetProcessld).
d. Draw process tree of context processes.
b. View Process Explorer for the responsible processes.
- What two values are required in the Process Timeline Dashboard to highlight activities of a specific process on a single host?
a. FileName and Hostname
b. Agent ID (AID) and TargetProcessid
c. Cloudinstanceld and MITRE ATT&CK Category
d. Agent IP (AIP) and RawProcessid
b. Agent ID (AID) and TargetProcessid
- Refer to the image to answer the following:
You are reviewing a raw data event on the Advanced event search page. Which option should you select from the Open menu; to pivot to a visual process tree for that event?
a. Show Process Explorer for the responsible process
b. Show Sibling Processes
c. Show Network Connection Data
d. Show Parent Process
a. Show Process Explorer for the responsible process
- What is an advantage of using the IP addresses search tool?
a. IP searches allow for multiple comma separated IPv6 addresses as input.
b. IP searches provide manufacture and timezone data that can not be accessed anywhere else.
c. IP searches offer shortcuts to launch response actions and network containment on target hosts.
d. IP searches provide host, process, and organizational unit data without the need to write a query.
d. IP searches provide host, process, and organizational unit data without the need to write a query.
- What information is listed in Hash Search results?
a. Host OU
b. Response Action
c. Detect History
d. Child Processes
c. Detect History
- Why should you run a Host Search?
a. To understand the specific processes involved in the detection.
b. To review the process tree to understand the origin of the detection.
c. To gather all “Cloudable Events” from the endpoint into a single timeline.
d. To view endpoint activity around the time of the detection.
d. To view endpoint activity around the time of the detection.
- What is true regarding the Bulk domains search?
a. It allows you to blocklist your queried domains.
b. You should only pivot to the Bulk domains search tool after completing an investigation.
c. It will show IP address and port information for any associated connections.
d. It will show a list of computers and processes that performed a lookup to any or the domains in your search.
d. It will show a list of computers and processes that performed a lookup to any or the domains in your search.
- Your lead analyst asks you to use Real Time Response (RTR) to gather log files and information about the state of a Windows host and package them into a zip file.
Which native RTR command quickly accomplishes this task?
a. Get-WinDiag
b. cswindiag
c. windiag
d. Get-Diag
b. cswindiag
- What does selecting the ‘Connect to Host’ button do within the Falcon platform?
a. Establishes a connection to the host using Real Time Response.
b. Opens inbound port 3389 on the host’s firewall.
c. Establishes a connection to the host using Remote Desktop Protocol.
d. Opens a shell session using the host’s native protocol.
a. Establishes a connection to the host using Real Time Response.
- Which native Real Time Response command will delete a file from a target host?
a. Remove-Item
b. clear
c. del
d. rm
d. rm
- You are remediating a windows host using a custom script via Real Time Response (RTR).
Which custom script option should you use?
a. Bash
b. RAW
c. CloudFile
d. HostPath
c. CloudFile
- Timelines are part of which Falcon page?
a. Investigate
b. Activity
c. Hosts
d. Discover
a. Investigate
- Where can you find information about Detection and Prevention Policies?
a. In the Support page under Docs
b. In the Users page under User Management
c. In the Discovery page under System Resources
d. In the Intelligence page under Dashboard
a. In the Support page under Docs
- A scheduled task being executed causes a detection. How is this revealed in the process tree?
a. The process tree begins with SCHTASKS.EXE
b. The process tree begins with TASKENG.EXE
c. The process causing the detection is the root process in the process tree
d. The process tree begins with EXPLORER.EXE
b. The process tree begins with TASKENG.EXE
- Which is NOT a type of automated detection?
a. Falcon Overwatch
b. Indicator of Compromise (10C)
c. Indicator of Attack (IA)
d. Machine Learning
a. Falcon Overwatch
- Which is NOT a filter available in the drop down menu on the Detections page?
a. Command line
b. Status
c. Location tag
d. Hash
c. Location tag
- Which is NOT a type of detection?
a. Behavioral
b. Automated
c. Manual
d. Custom
a. Behavioral
- ProcessRollup2 refers to a(n)
a. ContextProcessid _decimal
b. event simpleName
c. ParentProcessid_decimal
d. eventtype
b. event simpleName
- Within the MITRE Framework, what would Gain Access > Initial Access > Drive-by Compromise mean?
a. An adversary is trying to gain access by initial access using drive-by compromise
b. An adversary is trying to keep access by initial access using drive-by compromise
c. An adversary is trying to gain access by drive-by compromise using initial access
d. An adversary is trying to keep access by drive-by compromise using initial access
a. An adversary is trying to gain access by initial access using drive-by compromise
- Which of the following is an example of a MITRE ATT&CK technique?
a. Execution
b. Persistence
c. Explore
d. Process Injection
d. Process Injection
- During your investigation of a detection, you discover that the triggering file was launched from TASKENG.EXE. What does this mean?
a. The triggering file is part of a task being scheduled
b. The triggering file is part of a scheduled task being executed
c. The triggering file has been launched from a Registry Run key.
d. The triggering file is part of a service being launched
b. The triggering file is part of a scheduled task being executed
- Which search is not available as a pivot from a detection?
a. User search
b. Host search
C. Hash search
d. Event search
a. User search
- How does a NetworkConnect IP4 event link to its responsible process?
a. Via its ContextProcessid decimal field
b. Via its ParentProcessid _decimal field
c. Via its TargetProcessid_decimal field
d. Via both its ContextProcessid_decimal and ParentProcessid_decimal fields
a. Via its ContextProcessid decimal field
- What type of events are shown in a Process Timeline?
a. All process-related detection events in a given timeframe
b. All cloudable process-related events in a given timeframe
c. Every process event recorded since the endpoint booted up
d. Suspicious / malicious events only
b. All cloudable process-related events in a given timeframe
- When looking at the details of a detection, what does a Local Prevalence status of Unique indicate?
a. The associated file is has not been seen before in all of CrowdStrike’s customer environments
b. The associated file has not been seen before in all operating systems
c. The associated file has not been seen before in the current customers environment
d. The associated file has not been seen before on the Internet
c. The associated file has not been seen before in the current customers environment
- What is an “Unmanaged Neighbor” found in a Host search?
a. A local endpoint whose sensor has not responded for 30 days
b. A remote endpoint that does not have a sensor installed
c. A local endpoint whose sensor has gone into RFM
d. A local endpoint that does not have a sensor installed
d. A local endpoint that does not have a sensor installed
- Which option should be used to prevent execution of a specific hash?
a. Always Block
b. Never Block
c. No Action.
d. Ignore
a. Always Block
- Which dashboard will show endpoints in RFM?
a. Detection Activity
b. Executive Summary
c. Detection Resolution
d. Sensor Report
b. Executive Summary
- What happens when a file is quarantined?
a. It is moved to the Quarantine folder on the endpoint
b. It is encrypted and moved to the Quarantine folder on all endpoints
c. It is compressed, password protected, and moved to the Quarantine folder on the endpoint
d. The file is allowed to execute one more time cleanly or else be deleted
c. It is compressed, password protected, and moved to the Quarantine folder on the endpoint
- A new binary on an endpoint has triggered a detection. Which search will reveal if the file is on other endpoints?
a. Hash search
b. Host search
c. User Search
d. Event Search
a. Hash search
- When triaging detections, what is the first thing an analyst should do?
a. Begin working the detection as fast as possible
b. Assign the detection to themselves and change the status to in Progress
c. Assign the new detection to another analyst
d. Check its severity
b. Assign the detection to themselves and change the status to in Progress
- Which search allows you to search for anything you want?
a. User
b. Host
C. Hash
d. Event
d. Event
- You suspect that DNS beaconing to www.stolendata.biz is originating from a system on your network. Which of the following approaches is the best way to find the name o the endpoint performing the beaconing?
a. Use a Bulk Domain Search to locate the endpoint querying www.stolendata.biz
b. Write a Splunk query to find the endpoint
C. Determine the IP address associated with www.stolendata.biz and search for it using IP Search
d. Use RTR to examine the DNS cache of suspected endpoints for the www.stolendata.biz domain
a. Use a Bulk Domain Search to locate the endpoint querying www.stolendata.biz
- Which of the following is NOT a way to block a hash?
a. By uploading it to Prevention Hashes
b. By sending the hash to VirusTotal. This automatically blocks the hash.
c. By blocking it from a detection through the Edit Hash Action feature
d. By blocking it via the API
b. By sending the hash to VirusTotal. This automatically blocks the hash.
What is the criteria for defining crowdscore incident as inactive, and how often is the incident status updated
Crowdscore incidents are inactive once an hour passes without any new related activity. The incident status is updated hourly
What is the RTR - Read only Analyst Permissions?
You can run a core set of read only commands to perform reconnaissance
What is the RTR - Active Responder Permissions?
You can run all of the commands RTR Read Only Analyst can and more, including the ability to extract files using the get command, run commands that modify the state of the remote host and run certain custom scripts
What is the RTR - Administrator Permissions?
You can do everything RTR active responder can do, plus create scripts, upload files to hosts using the put command and directly run executables using the run command
What is the default response policy?
It provides baseline RTR functionality and is enabled by default for all hosts. It has all settings enabled except custom scripts and run
What are the highrisk commands RTR?
get
put
run
memdump
xmemdump
put and run
cswindiag is also due to it relying on put and run
How long does an RTR session take to expire from inactivity?
10 mins
How long will the RTR session stay available if the browser tab is closed by accident?
and
Will your history still be available?
5mins and yes
What flag do you need to run a script directly from the remote hosts File System?
-HostPath
what does the RTR csrutil command do?
Get system integrity protection status
What does the RTR encrypt command do?
Encrypts a file with an encryption key
what does the RTR env command do?
Gets environment details
What are the subcommands for RTR eventlogs?
list
view
export
backup
What does the RTR falconscript command do?
Runs a Falcon script
what does the RTR map command do?
Map an SMB network share drive
what does the RTR runscript command do?
Runs a custom script
What does the xmemdump RTR command do?
Dumps the complete kernel memory of a system
Quarantined files are deleted from the host after how many days?
30
Quarantined files are deleted from CS cloud after how many days?
90
If you uninstall the sensor are the quarantined files deleted?
yes
What are the three exclusion types?
Machine Learning
Indicator of attack
Sensor visibility exclusion
What does a ML exclusion do?
For trusted file paths, stop all ML based detections from being uploaded to the CS cloud
What does an IOA exclusion do?
Stop all detections and preventions for an IOA that’s based on a CS generated detection
What does a Sensor visibility exclusion do?
For trusted file paths that you want to exclude from sensor monitoring, minimize sensor event collection, and stop all associated files
Regsrv32.exe is used for what
This process registers DLLs
what does at.exe do
Processes are used to schedule tasks
What command is used to run a script from the Falcon script Library
falconscript
What permissions do you need to run a raw custom script
RTR admin
What permissions do you need to run a CloudFile custom script
RTR admin or RTR responder, depending on the script
What permissions do you need to run a HostPath custom script
RTR admin
When would you use a raw custom script method?
Just for onetime task
When would you use a CloudFile script method?
Tasks that will be performed reguarly
When would you use a HostPath script method?
When a script is already accessible from the host?
Script size limitations
What is under the Endpoint Security tab?
Activity Dash
CrowdScore incidents
Endpoint detections
Quarantined files
What is under the Investigate tab?
Advanced Event search
Hosts
Users
Hashsearch
ip address
bulk domains
What are the fields on the Investigate Host page?
Agent ID and computer name
Is the Host search and Investigate host page the same?
yes
On the Investigates Host page, can you see managed and unmanaged neighbors?
yes
What search field does the investigate users page have?
Username, computername, aid, commandline, filename
Does the Users search page show detect history and unresolved detects?
yes
What fields do the Hash search page have?
md5&sha256 sum, filename, commandline, computername and username
Does the Hash search show PE file info and process block history?
yes
Does the Bulk domains search only have Domain Name and Company as search fields?
yes
Does the Bulk Domains page show DNS Requests, Domain lookup summary and process details?
yes
