🔥 3-day streak
Professional Security Operations Engineer182 / 241
Question 182 of 241
During a hypothesis-driven hunt, a SecOps threat hunter suspects that a subset of endpoints has been reconfigured to use an attacker-controlled DNS resolver as part of a DNS-based command-and-control setup. The hunter wants to build a YARA-L 2.0 retrohunt rule that surfaces DNS query events where the responding/queried DNS server IP is one that is rarely used across the enterprise — flagging hosts talking to resolvers outside the organization's small set of sanctioned internal resolvers. Which approach best expresses this hunt hypothesis in YARA-L?
Reviewed for accuracy · Report an issueNext question