🔥 3-day streak
Professional Security Operations Engineer192 / 241
Question 192 of 241
During a hypothesis-driven hunt, a SecOps threat hunter suspects that an attacker is using a living-off-the-land technique where a legitimate binary spawns processes writing base64-encoded archives to a temp staging directory before exfiltration. The hunter wants a YARA-L rule that surfaces PROCESS_LAUNCH events whose parent binary is common across the fleet but whose combination of command-line arguments plus a subsequent FILE_CREATION into a temp path is rare. Which approach best matches the intent of finding low-prevalence behavior rather than a static IOC?
Reviewed for accuracy · Report an issueNext question