Question 9 - Google Security-Operations-Engineer Real Exam Questions [March 2026 Update]

Q: 9

You are investigating whether an advanced persistent threat (APT) actor has operated in your organization's environment undetected. You have received threat intelligence that includes: A SHA256 hash for a malicious DLL A known command and control (C2) domain A behavior pattern where rundll32.exe spawns powershell.exe with obfuscated arguments Your Google Security Operations (SecOps) instance includes logs from EDR, DNS, and Windows Sysmon. However, you have recently discovered that process hashes are not reliably captured across all endpoints due to an inconsistent Sysmon configuration. You need to use Google SecOps to develop a detection mechanism that identifies the associated activities. What should you do?

Options

Correct Answer:

Explanation

The most effective strategy is to leverage all available intelligence while accounting for data quality issues. The process hash is unreliable, but the C2 domain is a reliable indicator present in DNS logs. Creating a reference list (referred to as a data table) containing both the hash and the domain allows a single YARA-L rule to search for either indicator. A high-frequency rule is suitable for near real-time detection against high-volume data like DNS logs. This approach provides resilient coverage by detecting C2 activity via DNS lookups even when the process hash is missing, making it the most robust solution.

Why Incorrect

A. Searching for rundll32.exe is too broad and will generate excessive false positives, as it is a common and legitimate system process.

B. This approach is unreliable because the scenario explicitly states that process hashes are not consistently captured across all endpoints.

C. This rule still depends on the unreliable process hash, meaning it would fail to detect activity on many misconfigured endpoints.

References

1. Use reference lists in rules: Official Google Cloud documentation explains that reference lists are used to store and match against a large set of values

such as known malicious domains or file hashes

within a detection rule. This directly supports the creation of a data table (reference list) for the IOCs.

Source: Google Cloud Documentation

Chronicle SIEM

"Use reference lists in rules".

2. YARA-L 2.0 language syntax: The syntax for YARA-L rules allows for complex logic

including checking fields against reference lists. A rule can be written to match a DNS query to the C2 domain list or a process hash to the hash list.

Source: Google Cloud Documentation

Chronicle SIEM

"YARA-L 2.0 language syntax"

Section: "Language overview".

3. How Detection Engine works: This document describes the different types of rules

including high-frequency rules designed for near real-time detection on high-volume log sources like DNS

which aligns with the proposed solution of using the C2 domain for alerting.

Source: Google Cloud Documentation

Chronicle SIEM

"How Detection Engine works"

Section: "Rule execution".

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE