🔥 3-day streak
Professional Security Operations Engineer195 / 241
Question 195 of 241
During a proactive hunt in Google SecOps, a threat hunter suspects adversaries are abusing PowerShell with base64-encoded commands to evade detection. They want to write a YARA-L 2.0 hunting rule that surfaces only encoded PowerShell invocations that are uncommon across the fleet, avoiding the flood of legitimate administrative scripting that uses encoded commands routinely. Which approach within the rule best isolates the low-prevalence, suspicious activity?
Reviewed for accuracy · Report an issueNext question