CrowdStrike Certified Falcon Hunter (CCFH) — Question 63

To best determine the root cause of an enterprise wide infection you would:

Answer options

• A. Examine a list of processes by hash to determine the latest execution time and last infected machine.
• B. Perform frequency analysis to identify outlier processes that should not be running in your environment.
• C. Examine a list of process executions with a specific hash to determine the earliest execution time.
• D. Examine a list of outbound network connections on non-standard ports to identify suspicious processes.

Correct answer: C

Explanation

The correct answer, C, is effective because it allows for tracing back to the first instance of the malicious process, which can provide insights into how the infection began. Options A and B focus on more recent events or outlier processes, which may not give a complete picture of the infection's origin. Option D, while useful for detecting active threats, does not directly address the root cause of the infection.