CrowdStrike Certified Falcon Hunter (CCFH) — Question 5

Which of the following queries will return the parent processes responsible for launching badprogram.exe?

Answer options

• A. [search (ParentProcess) where name=badprogram.exe ] | table ParentProcessName _time
• B. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessId_decimal AS TargetProcessId_decimal | fields aid TargetProcessId_decimal] | stats count by FileName _time
• C. [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
• D. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessId_decimal AS ParentProcessId_decimal | fields aid TargetProcessId_decimal] | stats count by FileName _time

Correct answer: B

Explanation

Option B is correct because it specifically queries for the parent processes of badprogram.exe by using the processrollup2 event and renaming the necessary fields. The other options either do not accurately identify the parent processes or do not use the correct query structure to achieve the desired results.