🔥 3-day streak
Professional Security Operations Engineer186 / 241
Question 186 of 241
During a hypothesis-driven hunt, a SecOps threat hunter suspects that an attacker has deployed a lightweight reverse shell that opens a listening service on a non-standard high port on a small number of Linux servers, then periodically initiates outbound connections from that same process. The hunter wants to write a YARA-L 2.0 rule that surfaces only processes that both (a) bound a rare listening port not previously seen in the environment and (b) generated outbound network egress, while suppressing common services like ssh and web servers. Which approach best satisfies this hunt within a single YARA-L detection?
Reviewed for accuracy · Report an issueNext question