Falcon Responder

Question 1

What is svchost.exe

Answer 1

A wrapper for services starting, manages scheduled tasks and services from DLL files, usually showing in Falcon, its the execution of a scheduled task when it’s in the command line.

Question 2

How long is a quarantined file retained when downloaded vs in the cloud?

Answer 2

30 days when downloaded, 90 days in the cloud

Question 3

What is services.exe

Answer 3

The tool used to stop and restart services.

Question 4

What process creates, modifies, and deletes registry keys?

Answer 4

reg.exe

Question 5

What raw data is available for a DNSRequest event?

Answer 5

index

Question 6

How many detections are displayed per day per AID?

Answer 6

1000

Question 7

What sentence best describes the primary use of the Hash Executions search?

Answer 7

A summary view of the environment-wide presence of a given hash list

Question 8

If trying to create a tightly-scoped allowlist for a certain ML detection group, what grouping might be used first?

Answer 8

Hash

Question 9

What are the six CrowdStrike objectives?

Answer 9

Gain Access, Keep Access, Explore, Contact Controlled Systems, Follow Through

And then Falcon Detection Method

Question 10

What MITRE tactics are contained under Gain Access?

Answer 10

Initial Access
Credential Access
Privilege Escalation

Question 11

What MITRE Tactics are under the Keep Access Objective?

Answer 11

Persistence
Defense Evasion

Question 12

What MITRE Tactics are under the Explore Objective?

Answer 12

Discovery
Lateral Movement

Question 13

What single MITRE Tactic falls under the Contact Controlled Systems Objective?

Answer 13

Command and Control

Question 14

What MITRE Tactics fall under the Follow Through Objective

Answer 14

Collection
Exfiltration
Execution
Impact

Question 15

What are the 7 different Falcon Detection Methods?

Answer 15

Malware,
Exploit,
Post-Exploit,
Machine Learning,
Custom Intelligence,
Falcon Overwatch
Falcon Intel

Question 16

What is FDM?

Answer 16

Falcon Detection Method - will show up in Detections as the Objective, with our own Tactic & Technique… meant for detections that don’t cleanly match a MITRE matrix spot.

Question 17

What is required when creating a custom IOA from scratch?

Answer 17

Create a rule group
Create the custom rule in the group
Enable the rule & group
Assign the IOA rule group to a prevention policy

Question 18

What are the 4 IOA rule actions?

Answer 18

Monitor
Detect
Block execution (process creation only)
Kill process

Question 19

Can a custom IOA be applied to more than one prevention policy?

Answer 19

Yes

Question 20

How long are Detection-Related Events retained?

Answer 20

90 days, by default

Question 21

Which stages of the cyber kill chain does the Falcon sensor have visibility over?

Answer 21

Only the last 4:

Exploit, Control, Execute, Maintain

Question 22

What is the maximum size for a quarantined file to be uploaded to the Cloud?

Answer 22

32MB

Question 23

What is the default retention for “cloudable” events?

Answer 23

7 days by default

Question 24

What are the 4 rule types for IOA?

Answer 24

Process creation
File creation
Network connection
Domain name

Question 25

What is the icon of a lightning bolt in a circle?

Answer 25

RTR

Question 26

What does the stacked hexagon icon mean?

Answer 26

Incident

Question 27

In order, what are the Overwatch Best Practice steps for IR?

Answer 27

1. Understand the detection 2. Review Process Tree to understand origin 3. Understand processes involved 4. Examine what is normal for the system 5. Examine what is normal for the environment

Question 28

How long are incidents labeled inactive without new activity?

Answer 28

One hour

Question 29

What percentage increase would a CrowdScore get from a good indication of attack?

Answer 29

20%

Question 30

What dictates if a quarantined file can be uploaded to the cloud?

Answer 30

Prevention policy

Question 31

What is WMIC.exe?

Answer 31

**WMIC.exe** stands for **Windows Management Instrumentation Command-line*). It is a command-line utility that provides access to **Windows Management Instrumentation (WMI)**, which is a set of specifications from Microsoft for consolidating the management of devices and applications in a networked environment.

Question 32

In the Host timeline, which process identification number(s) is/are present?

Answer 32

ProcessID, the unique one of ours, but not the system PID.

Question 33

What does the stacked hexagon icon signify?

Answer 33

Incident

Question 34

What are event workflows?

Answer 34

Event Workflows are automated searches that can be used to pivot between related events and searches.

Question 35

What actions does Falcon take upon detection

Answer 35

Kills and blocks process, quarantines files

Question 36

What are the three kinds of detections, and what are they?

Answer 36

Manual - initiated by Falcon Overwatch Automated - IOCs and IOAs Custom - triggered by analyst-provided hashes

Question 37

What are the four filters on the Host search page?

Answer 37

Search type Host Company Time Range

Question 38

How do you get to Process Timeline?

Answer 38

By either - clicking the dashboard directly, under Investigate>Timelines under - Investigate Host search > Processes and Services > Clicking on Process ID

Question 39

What parameters are there on the Process Timeline?

Answer 39

aid TargetProcessID ParentProcessID #event_simpleName Company

Question 40

On Host Search, what are the subheadings?

Answer 40

Host info BIOS Local and external IPs Managed neighbors Unmanaged neighbors User log on activities

Question 41

What are the filters on User Search?

Answer 41

UserName ComputerName aid Company FileName CommandLine Excluded Files Excluded Command Lines