🔥 3-day streak
Professional Security Operations Engineer205 / 241
Question 205 of 241
A threat intelligence report describes an adversary that uses Windows Management Instrumentation (WMI) to remotely execute commands on target hosts (mapped to MITRE ATT&CK T1047). Your detection engineering team wants to build a YARA-L rule that generalizes to this technique rather than matching only the specific tool hashes named in the report. Which approach best translates the intelligence into durable, behavior-based detection coverage?
Reviewed for accuracy · Report an issueNext question