🔥 3-day streak
Professional Security Operations Engineer170 / 241
Question 170 of 241

A threat hunter suspects a custom malware sample is using a bespoke TLS library, which would produce a client-side JA3 fingerprint that no legitimate application in the fleet generates. They want a YARA-L 2.0 hunt rule that surfaces network connections whose JA3 hash has never been observed in the environment before the current 24-hour hunt window, while excluding hashes that appear across many hosts (indicating common software). Which approach best fits this hypothesis?

Reviewed for accuracy · Report an issueNext question