🔥 3-day streak
Professional Security Operations Engineer179 / 241
Question 179 of 241

A threat hunter suspects a compromised build server is being used to spray a downloaded implant across the environment. They hypothesize that the malicious loader process spawns an unusually high number of distinct child process names within a short window compared to legitimate build tooling, which typically reuses the same small set of child binaries. Which YARA-L approach best operationalizes this hypothesis into a repeatable detection?

Reviewed for accuracy · Report an issueNext question