CrowdStrike Certified Falcon Responder (CCFR) — Question 15

Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?

Answer options

• A. An adversary is trying to keep access through persistence by creating an account
• B. An adversary is trying to keep access through persistence using browser extensions
• C. An adversary is trying to keep access through persistence using external remote services
• D. An adversary is trying to keep access through persistence using application skimming

Correct answer: A

Explanation

The correct answer, A, indicates that the adversary aims to maintain access by establishing a new account, which is a common method for persistence. Options B, C, and D describe different techniques that do not specifically relate to the creation of an account, making them incorrect in this context.