Skip to Content

CrowdStrike CCFH-202: Which CrowdStrike Event Contains the Command Line Used to Create a Process?

Learn which CrowdStrike event_simpleName field contains the command line arguments used when creating a new process. Understand how ProcessRollup2 events provide detailed command line data for threat hunting and incident response.

Table of Contents

Question

Which event_simpleName has a field that contains the command line used to create a process?

A. ProcessRollup2
B. DNSRequest
C. CommandHistory
D. PeVersionInfo

Answer

A. ProcessRollup2

Explanation

The ProcessRollup2 event in CrowdStrike contains a field called CommandLine that captures the full command line string used when creating a new process. This includes the executable path as well as any arguments or parameters passed to the program.

Having visibility into the detailed command line arguments is crucial for threat hunting and incident response. Attackers often use legitimate programs like PowerShell or wmic but pass them malicious arguments to carry out their objectives. The CommandLine field allows analysts to inspect exactly how a suspicious process was launched.

The other event types mentioned do not contain command line data:

  • DNSRequest events contain information about DNS queries made by the endpoint.
  • CommandHistory events record commands executed in a Linux terminal shell.
  • PeVersionInfo events provide metadata about Windows PE executable files.

So in summary, when you need to investigate the full command line used to start a process on an endpoint, look for the CommandLine field in ProcessRollup2 events captured by the CrowdStrike sensor. This rich data source is key to uncovering threats.

CrowdStrike CCFH-202 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the CrowdStrike CCFH-202 exam and earn CrowdStrike CCFH-202 certification.