210-255 · Question #185
You have identified a malicious file in a sandbox analysis tool. Which piece of file information from the analysis is needed to search for additional downloads of this file by other hosts?
The correct answer is B. file hash value. A file hash value is the only attribute that uniquely and reliably identifies a specific file's content, making it the correct artifact to pivot on when hunting for that malicious file across other hosts.
Question
You have identified a malicious file in a sandbox analysis tool. Which piece of file information from the analysis is needed to search for additional downloads of this file by other hosts?
Options
- Afile name
- Bfile hash value
- Cfile type
- Dfile size
How the community answered
(20 responses)- A5% (1)
- B90% (18)
- C5% (1)
Why each option
A file hash value is the only attribute that uniquely and reliably identifies a specific file's content, making it the correct artifact to pivot on when hunting for that malicious file across other hosts.
File names are trivially changed by attackers to evade detection and are not unique identifiers for a specific malicious file across hosts.
A cryptographic hash (MD5, SHA-1, SHA-256) is derived from the exact binary content of the file, producing a unique fingerprint. Security analysts can query SIEM systems, EDR platforms, and network logs for that specific hash to identify every host that downloaded or executed the identical file, even if the attacker renamed or moved it.
File type is a broad category shared by countless files and cannot distinguish the malicious file from the many legitimate files of the same type.
File size is not unique - many unrelated files share the same size, and minor modifications can alter it without changing the file's malicious behavior.
Concept tested: File hash as indicator of compromise for threat hunting
Source: https://www.nist.gov/publications/guide-computer-security-incident-handling
Topics
Community Discussion
No community discussion yet for this question.