CrowdStrike Certified Falcon Hunter (CCFH) — Question 38

You would like to search for ANY process execution that used a file stored in the Recycle Bin on a Windows host. Select the option to complete the following EAM query. aid=my-aid ImageFileName=________ event_simpleName=ProcessRollup2

Answer options

• A. *$Recycle.Bin^
• B. *$Recycle.Bin*
• C. ^$Recycle.Bin*
• D. ^$Recycle.Bin%

Correct answer: B

Explanation

The correct answer is B, as the wildcard '*' allows for matching any characters before or after the specified path, which is necessary for searching processes that accessed files in the Recycle Bin. Option A is incorrect because it uses a caret (^) at the end, which is not needed for this query. Option C also incorrectly places the caret at the beginning, and Option D uses a percentage sign (%) instead of the appropriate wildcard, making it invalid.