CrowdStrike Certified Falcon Hunter (CCFH) — Question 27

Which of the following is a suspicious process behavior?

Answer options

• A. PowerShell running an execution policy of RemoteSigned
• B. An Internet browser (eg., Internet Explorer) performing multiple DNS requests
• C. PowerShell launching a PowerShell script
• D. Non-network processes (e.g., notepad.exe) making an outbound network connection

Correct answer: D

Explanation

The correct answer is D because local processes like notepad.exe should not typically be making outbound network connections, which is unusual behavior and could indicate malicious activity. The other options represent normal behaviors for the respective processes and are not inherently suspicious.