🔥 3-day streak
Professional Security Operations Engineer167 / 241
Question 167 of 241

A threat hunter in Google SecOps forms a hypothesis that an attacker is staging tools by writing to hidden administrative shares (e.g., \\host\C$) on internal servers before lateral movement. The hunter wants a YARA-L 2.0 rule that surfaces only the FIRST time a given source host writes a file to an admin share on any destination host over the trailing 14 days, avoiding alerts on hosts that routinely perform such writes (backup and patch-management systems). Which approach best implements this hunt?

Reviewed for accuracy · Report an issueNext question