CrowdStrike Certified Falcon Hunter (CCFH) — Question 64

Which of the following process trees should raise the most suspicion that adversary activity may be present on a web server?

Answer options

• A. SMSS.EXE >> WINLOGON.EXE >> USERINIT.EXE >> EXPLORER.EXE >> WORD.EXE
• B. WINLOGON.EXE >> USERINIT.EXE >> EXPLORER.EXE >> OUTLOOK.EXE >> CHROME.EXE
• C. WININIT.EXE >> SERVICES >> SVCHOST.EXE >> TASKENG.EXE >> POWERSHELL.EXE
• D. WININIT.EXE >> SERVICES >> SVCHOST.EXE >> W3WP.EXE >> CMD.EXE

Correct answer: D

Explanation

Option D raises the most suspicion because it includes W3WP.EXE, which is the process for IIS web applications, combined with CMD.EXE, indicating potential command execution. The other options contain typical user processes that are less likely to be associated with malicious activities on a web server.