🔥 3-day streak
Professional Security Operations Engineer174 / 241
Question 174 of 241

During a hypothesis-driven hunt, you suspect adversaries are abusing living-off-the-land binaries (LOLBins) on Windows endpoints in your Google SecOps environment. Specifically, you want to surface cases where a legitimate signed binary (rundll32.exe) is spawned by an unusual parent process such as a Microsoft Office application. Rather than a single point-in-time UDM search, you want a reusable YARA-L rule that continuously evaluates process-launch telemetry for this parent-child relationship. Which approach best satisfies the hunt requirement?

Reviewed for accuracy · Report an issueNext question