🔥 3-day streak
Microsoft Security Operations Analyst77 / 190
Question 77 of 190

During a threat hunt in Microsoft Defender XDR Advanced Hunting, you need to identify hosts where a legitimate signed Windows binary (a LOLBin such as rundll32.exe) loaded an unsigned DLL from a user's temp directory. Your query must correlate the specific DLL module that was mapped into the process memory, not just the file being written to disk. Which Advanced Hunting table should you query to see the DLL being loaded into the process?

Reviewed for accuracy · Report an issueNext question