🔥 3-day streak
Professional Security Operations Engineer196 / 241
Question 196 of 241
During a hypothesis-driven hunt, you suspect an attacker is abusing a legitimate service account to run processes with escalated privileges on only a handful of endpoints. You want a YARA-L 2.0 rule that surfaces process launch events where the process runs under SYSTEM integrity but the same process image path has been observed on very few distinct hosts across the fleet in the last 30 days. Which rule design correctly balances the low-prevalence requirement with the privilege-escalation hypothesis?
Reviewed for accuracy · Report an issueNext question