CrowdStrike Certified Falcon Administrator (CCFA) — Question 177

During a Windows system investigation via Real Time Response (RTR), an RTR Active Responder is unable to execute a custom powershell script for finding specific system artifacts.

What is likely restricting the responder from executing the powershell script?

Answer options

• A. Script-Based Execution Monitoring is not enabled in the prevention policy
• B. Custom Scripts is not enabled in the response policy
• C. The responder requires the RTR Administrator role
• D. Put-and-Run is not enabled in the response policy

Correct answer: B

Explanation

The correct answer is B because if Custom Scripts is not enabled in the response policy, the RTR Active Responder cannot execute any custom scripts, including PowerShell scripts. Option A refers to Script-Based Execution Monitoring, which is unrelated to the execution of custom scripts. Option C is incorrect as the responder does not require the RTR Administrator role to execute scripts. Option D is not relevant to the execution of custom scripts, as Put-and-Run pertains to a different functionality.