🔥 3-day streak
Professional Security Operations Engineer175 / 241
Question 175 of 241

A threat hunter at a financial services firm hypothesizes that an adversary is establishing persistence by creating scheduled tasks that execute rarely-seen binaries. She wants to write a YARA-L rule in Google SecOps that surfaces scheduled-task creation events where the associated executable hash has been observed on very few endpoints across the enterprise over the past 30 days. Which approach best implements this low-prevalence hunt in YARA-L?

Reviewed for accuracy · Report an issueNext question