🔥 3-day streak
Professional Security Operations Engineer202 / 241
Question 202 of 241
During a proactive hunt in Google SecOps, you hypothesize that an adversary has established persistence by writing to Windows Registry Run keys on a small number of endpoints. You want a YARA-L 2.0 rule that surfaces registry modifications to Run/RunOnce keys, but only where the resulting binary path is rare across your entire fleet over the last 30 days. Which approach best implements this hunt while minimizing false positives from legitimate, widely-deployed software?
Reviewed for accuracy · Report an issueNext question