Google
PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER · Question #42
PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Question #42: Real Exam Question with Answer & Explanation
Sign in or unlock PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER to reveal the answer and full explanation for question #42. The question stem and answer options stay visible for context.
Question
You are investigating whether an advanced persistent threat (APT) actor has operated in your organization's environment undetected. You have received threat intelligence that includes: - A SHA256 hash for a malicious DLL - A known command and control (C2) domain - A behavior pattern where rundll32.exe spawns powershell.exe with obfuscated arguments Your Google Security Operations (SecOps) instance includes logs from EDR, DNS, and Windows Sysmon. However, you have recently discovered that process hashes are not reliably captured across all endpoints due to an inconsistent Sysmon configuration. You need to use Google SecOps to develop a detection mechanism that identifies the associated activities. What should you do?
Options
- AWrite a multi-event YARA-L detection rule that correlates the process relationship and hash, and
- BBuild a reference list that contains the hash and domain, and link the list to a high-frequency rule
- CCreate a single-event YARA-L detection rule based on the file hash, and run the rule against
- DUse Google SecOps search to identify recent uses of rundll32.exe, and tag affected assets
Unlock PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER to see the answer
You've previewed enough free PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER questions. Unlock PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.