🔥 3-day streak
Professional Security Operations Engineer181 / 241
Question 181 of 241

A threat hunter at a financial services firm suspects an adversary is using DLL sideloading to run malicious code under the context of legitimate signed executables. In Google SecOps, they want a hypothesis-driven YARA-L rule that surfaces cases where a process whose main executable is validly signed loads a module (DLL) that is unsigned or has an unverified signature, but ONLY when that specific module path has been loaded on fewer than three distinct hosts across the fleet in the last 14 days. Which rule design best satisfies this hypothesis?

Reviewed for accuracy · Report an issueNext question