🔥 3-day streak
Professional Security Operations Engineer171 / 241
Question 171 of 241
A threat hunter has a hypothesis that adversaries in their environment are abusing certutil.exe with a URL argument to download second-stage payloads. They want a YARA-L rule that surfaces only the FIRST time each host executes certutil with a URL-like command-line argument within the last 30 days, to avoid alerting on the many benign, repeated certutil invocations already present in the fleet. Which rule design best satisfies this first-seen-per-host hunting requirement?
Reviewed for accuracy · Report an issueNext question