🔥 3-day streak
Professional Security Operations Engineer180 / 241
Question 180 of 241

During a hypothesis-driven hunt, a SecOps threat hunter suspects an adversary is using process hollowing where a legitimate signed binary spawns and then a remote thread injects code into it. The hunter wants to author a YARA-L 2.0 rule that surfaces PROCESS_INJECTION events targeting common Windows binaries (e.g., svchost.exe, explorer.exe) where the injecting source process is NOT one of a small set of known-legitimate injectors used in the environment. Which YARA-L construct most directly and efficiently expresses the 'exclude known-good injectors' portion of this logic?

Reviewed for accuracy · Report an issueNext question