CertPrepNow
CrowdStrikeCCFH-202b79 concepts

CCFH-202b Cheat Sheet

Quick reference for the CrowdStrike Certified Falcon Hunter exam.

MITRE ATT&CK Framework Fundamentals

ATT&CK Tactic
Represents the adversary's strategic GOAL — the WHY behind an action (e.g., Initial Access, Execution, Persistence, Lateral Movement, Exfiltration).
ATT&CK Technique
Represents HOW the adversary achieves a tactic — the specific method used (e.g., Spearphishing Link under Initial Access, PowerShell under Execution).
ATT&CK Sub-technique
A more specific variant of a technique, denoted with a dot suffix (e.g., T1059.001 = PowerShell is a sub-technique of T1059 Command and Scripting Interpreter).
TTP (Tactic, Technique, Procedure)
Procedure is the specific real-world implementation of a technique by a particular adversary group — the most granular level of ATT&CK.
ATT&CK Matrix
A grid where columns are Tactics (the goals) and cells within each column are Techniques (the methods). Adversaries can use techniques from any tactic in any order.
Cyber Kill Chain vs ATT&CK
Kill chain is LINEAR and sequential (7 phases). ATT&CK is a MATRIX where adversaries can combine techniques from any tactic at any time — they are not interchangeable models.
Kill Chain Phases
Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command and Control → Actions on Objectives (7 sequential phases).

CrowdStrike Adversary Naming Conventions

BEAR
Russian state-sponsored adversaries (e.g., FANCY BEAR, COZY BEAR). Nation-state actors with intelligence and disruption objectives.
PANDA
Chinese state-sponsored adversaries (e.g., GOBLIN PANDA, WICKED PANDA). Nation-state actors focused on espionage and IP theft.
KITTEN
Iranian state-sponsored adversaries (e.g., CHARMING KITTEN, PIONEER KITTEN). Nation-state actors with espionage and disruptive goals.
SPIDER
Financially motivated cybercriminal (eCrime) groups (e.g., CARBON SPIDER, VENOM SPIDER). NOT nation-state actors.
CHOLLIMA
North Korean state-sponsored adversaries (e.g., LABYRINTH CHOLLIMA). Associated with financially motivated state-directed operations.
JACKAL
Hacktivist adversaries. Motivated by ideology, not financial gain or state direction.
LEOPARD / WOLF
LEOPARD = Pakistan-linked adversaries. WOLF = Turkey-linked adversaries. Animal suffix always indicates motivation and origin.

CQL Syntax — Core Query Patterns

#event_simpleName=ProcessRollup2
Indexed TAG filter — uses pre-built indexes for dramatically faster performance than the non-indexed field filter event_simpleName=ProcessRollup2.
#event_simpleName=DnsRequest AND DomainName=*evil*
Combine tag filter with wildcard field filter using AND. Wildcards (*) enable substring matching but are slower than exact matches.
#event_simpleName=ProcessRollup2 | groupBy([ComputerName, ImageFileName], function=count(), limit=10000)
Aggregate results by grouping on multiple fields with a count function. Always include limit in groupBy to cap result size.
ImageFileName=/\\powershell\.exe$/i
Regex pattern matching using forward slashes. The /i flag makes the pattern case-insensitive.
(#event_simpleName=ProcessRollup2 ImageFileName=*) OR (#event_simpleName=DnsRequest DomainName=*)
Combine multiple event types using OR within parenthesized sub-queries — useful for cross-event correlation hunts.
| collect([ImageFileName, CommandLine, UserName, DomainName])
Collect multiple field values into arrays when grouping — useful for summarizing all values associated with a correlated group.

CQL Event Types (event_simpleName)

ProcessRollup2
Process CREATION events. Fields: ImageFileName, CommandLine, ParentBaseFileName, TargetProcessId, ParentProcessId, SHA256HashData, UserSid.
DnsRequest
DNS query events. Fields: DomainName, RequestType, ContextProcessId (the process that made the DNS query), InterfaceIndex.
NetworkConnectIP4
IPv4 network connection events. Fields: RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ContextProcessId, Protocol.
UserLogon
Authentication events. Fields: UserName, UserSid, LogonType, AuthenticationPackage, TargetDomainName, LogonServerDomainName.
FileWritten
File write events. Fields: TargetFileName, ContextProcessId, FileSize. Used to track dropped files, staged exfiltration data, and new scripts.
RegKeyCreated / RegValueSet
Registry modification events. Track persistence mechanisms like run keys, service entries, and COM hijacking via registry.
ProcessTerminated
Process end events. Complements ProcessRollup2 — used to calculate process runtime duration and detect short-lived processes.

CQL Process Relationship Fields

TargetProcessId
The numeric ID assigned to a process at creation time in ProcessRollup2 events. Used to link a process to its subsequent activity.
ParentProcessId
The process ID of the PARENT that spawned the current process. Correlate with another ProcessRollup2 TargetProcessId to trace genealogy.
ContextProcessId
The process responsible for generating the event in non-process event types (DnsRequest, NetworkConnectIP4, FileWritten). Links activity back to a process.
ParentBaseFileName
The executable name (no path) of the parent process. Use in ProcessRollup2 to filter for processes spawned by a specific parent (e.g., ParentBaseFileName=cmd.exe).
Correlating Process to DNS Events
Join ProcessRollup2 and DnsRequest using TargetProcessId (from process event) matching ContextProcessId (from DNS event) scoped to the same aid (agent ID).
aid (Agent ID)
Unique identifier for each Falcon sensor installation. Always scope correlation queries to the same aid to avoid cross-endpoint false matches.

CQL Timestamps and Formatting

Unix Epoch Timestamp
Number of SECONDS elapsed since January 1, 1970 00:00:00 UTC. Example: 1718640000 = approximately June 17, 2024.
formatTime("%FT%T%z", field=timestamp)
Convert a Unix epoch timestamp field to ISO 8601 human-readable format (e.g., 2024-06-17T00:00:00+0000).
parseTimestamp("yyyy-MM-dd", field=dateField, as=epochField, timezone="UTC")
Convert a human-readable date string to a Unix epoch value for use in time-based filtering.
Seconds vs Milliseconds
CrowdStrike Falcon event timestamps are in SECONDS since epoch, not milliseconds. When converting, do not divide by 1000.
Tag Filter Performance Rule
Always use #event_simpleName= (indexed tag filter) instead of event_simpleName= (field filter) — tag filters use pre-built indexes and are significantly faster.
Query Optimization Order
Apply indexed tag filters first, then narrow the time range, then add exact field matches, and use wildcards/regex last.

Detection Analysis Workflow

Host Timeline
Chronological view of ALL events on a specific endpoint: process executions, network connections, file writes, registry changes. Answers 'what happened on this host?'
Process Tree
Visual parent-child process chain for ONE specific process. Answers 'how did this process get here and what did it spawn?' Red nodes indicate where malicious behavior was detected.
Host Timeline vs Process Tree
Host timeline = BREADTH (all event types on one host). Process tree = DEPTH (full genealogy of one process chain). Different scopes, different purposes.
Detection Severity Levels
Informational, Low, Medium, High, Critical — assigned by CrowdStrike Intelligence based on threat analysis. Admins cannot manually change the severity level.
Pivot Workflow
Detection page → process tree (understand chain) → host timeline (all concurrent events) → Investigate module (cross-environment scope). Each pivot adds context.
Suspicious Process Chain Example
winword.exe spawning powershell.exe spawning cmd.exe is a high-confidence malicious indicator — document editors should not spawn scripting engines.
Legitimate Tool Caution
PowerShell, PsExec, WMI, and WMIC are dual-use tools — require contextual analysis (who, when, what command, from where) to determine if usage is malicious.

Investigate Module — Search Types

User Search
Find all activity associated with a specific user account ACROSS ALL endpoints — ideal for insider threat investigations and compromised account analysis.
Host Search
Find details and historical activity for a specific endpoint: sensor status, OS, applied policies, recent detections, and host-level metadata.
Hash Lookup
Search for a specific SHA256 hash across all endpoints to determine file prevalence, which hosts have the file, and associated process executions.
IP Search
Find all endpoints and processes that have communicated with a specific IP address — scope is environment-wide, not limited to one host.
Domain Search
Find all processes and hosts that made DNS queries to a specific domain across the entire environment. More comprehensive than IP search since a domain can resolve to multiple IPs.
Hash Prevalence Logic
LOW prevalence hash = more suspicious (rare in environment). HIGH prevalence hash = likely legitimate (common system file). Prevalence is a key triage signal.
Investigate vs Event Search
Investigate module provides pre-built point-and-click searches for specific entities. Event Search (CQL) provides custom flexible queries when pre-built searches are insufficient.

Reports and Reference Documentation

Hunt Reports
Pre-configured built-in reports summarizing THREATS FOUND — suspicious behaviors, anomalous activities, and potential threats identified during hunting operations.
Visibility Reports
Pre-configured built-in reports showing COVERAGE GAPS — sensor deployment status, data collection completeness, and endpoint visibility metrics.
Hunt vs Visibility Reports
Hunt = WHAT threats were found. Visibility = DO YOU have coverage to find threats. Review Visibility FIRST before starting a hunt to confirm data completeness.
Events Full Reference
CrowdStrike's comprehensive documentation listing all event_simpleName values, every available field, data types, and field descriptions. Use when unsure what fields an event type contains.
Scheduled Reports
Automated recurring report delivery (daily, weekly, monthly) for ongoing monitoring and compliance — do not replace manual hunting or custom event searches.
Custom Dashboards
User-created visualization panels built from CQL query results displayed as charts, tables, or graphs. Persist saved query results for ongoing monitoring.

Hunting Methodology

Hypothesis-Driven Hunting
Top-down approach: start with a theory about adversary behavior (from threat intelligence or known TTPs), then build CQL queries to prove or disprove the hypothesis.
Outlier Analysis
Bottom-up approach: start with data to find statistical anomalies — rare processes, unusual network connections, or behaviors deviating from baseline — with no prior hypothesis.
Hypothesis vs Outlier
Hypothesis-driven = THEORY first, then data. Outlier analysis = DATA first, then theory. Both are valid and testable on the CCFH exam.
EAM (Endpoint Activity Monitoring)
Falcon application providing real-time forensic visibility into endpoint activity. Used for hunting unique auto-start extension points (ASEPs) and proactive suspicious behavior detection.
Hunt Documentation Elements
Must include: initial hypothesis, all queries executed, data sources and timeframes analyzed, findings (positive AND negative), and recommended follow-up actions.
Outlier Contextual Analysis
Low-prevalence processes (1 of 5,000 endpoints) are suspicious signals, not automatic verdicts — verify file hash, path, parent process, and network connections before escalating.
Threat Intelligence Integration
Use adversary TTPs from intelligence reports to generate hunting hypotheses — correlate known IOCs, adversary tools, and trending attack techniques with environment telemetry.

Hunting Analytics — Behavioral Context

Contextual Analysis Rule
Evaluate WHO executed a tool, WHAT it did, WHEN it ran, and FROM WHERE — single indicators are rarely conclusive; analyze multiple indicators together.
DevOps / CI-CD Disambiguation
Configuration management tools (Ansible, Puppet, Chef) legitimately create scheduled tasks, modify registry, and spawn shells — verify with operations team before escalating.
Baseline Comparison
Know normal behavior for servers vs. workstations vs. domain controllers — each has different expected processes, network patterns, and administrative activity profiles.
Off-Hours Execution Signal
Processes running outside business hours with encoded commands and external downloads on production systems with no maintenance window = high-confidence suspicious indicator cluster.
Information Reliability Evaluation
High false-positive-rate findings become significant when they correlate with independent indicators of compromise — correlation strength drives investigative priority.
Low Prevalence Caveat
Low-prevalence does NOT automatically mean malicious — custom internal tools, bespoke scripts, and LOB applications may have low environment prevalence but be fully legitimate.
IOA vs IOC
IOA = behavioral/proactive — detects adversary TACTICS regardless of specific malware used. IOC = static/reactive — matches known artifacts (hashes, IPs, domains) after prior observation.

Key Platform Concepts for Hunters

Falcon OverWatch
CrowdStrike's 24/7 managed threat hunting SERVICE staffed by expert analysts — not a configurable product feature. Proactively hunts across all customer environments.
Falcon LogScale (formerly Humio)
CrowdStrike's index-free log management platform that powers CQL event search queries. Enables fast search across massive event volumes without traditional indexes.
Real Time Response (RTR)
Remote shell access to live endpoints for investigation and remediation — file retrieval, process termination, and script execution directly from the Falcon console.
Falcon Adversary Intelligence
CrowdStrike's threat intelligence service providing adversary profiles, campaign tracking, malware analysis, and vulnerability intelligence to inform hunting hypotheses.
Threat Graph
CrowdStrike's cloud-based graph database correlating trillions of security events per week to identify relationships between indicators, adversaries, and attack patterns.
Falcon Sandbox
Automated malware analysis environment that detonates suspicious files/URLs in isolation to observe behavior and extract indicators — used to supplement investigation.

Ready to test yourself?

Start a timed CCFH-202b mock exam or review practice questions by domain.