CrowdStrike Certified Falcon Hunter (CCFH) — Question 17

You have found a hash-based indicator of compromise (IOC) in an intelligence report and want to determine if the program has run in your environment. Which search would provide all of the process’ executions over the timeframe specified?

Answer options

• A. Bulk Host Audit
• B. IOC Search
• C. Process Search
• D. Hash Search

Correct answer: D

Explanation

The correct answer is D, Hash Search, because it allows you to search specifically for the hash value associated with the IOC, thus providing all instances of the program's execution. The other options do not focus on hash values or may not provide the level of detail required for tracking specific executions related to the IOC.