🔥 3-day streak
Professional Security Operations Engineer199 / 241
Question 199 of 241
During a hunt in Google SecOps, you hypothesize that malware is masquerading as svchost.exe but is being launched by an unexpected parent process. Legitimate svchost.exe on Windows is spawned almost exclusively by services.exe. You want a YARA-L rule that surfaces svchost.exe process launches whose parent is NOT services.exe, but only when that specific parent/child pairing is rare across the fleet over the past 30 days. Which approach best satisfies this hunt while minimizing false positives from occasional legitimate variations?
Reviewed for accuracy · Report an issueNext question