You have found a hash-based indicator of compromise (IOC) in an intelligence report and want to determine if the program has run in your environment. Which search would provide all of the process’ executions over the timeframe specified?
You have found a hash-based indicator of compromise (IOC) in an intelligence report and want to determine if the program has run in your environment. Which search would provide all of the process’ executions over the timeframe specified?
To determine if a specific program has run in your environment over a specified timeframe, conducting a Process Search is the most direct and comprehensive method. A Process Search allows you to query for all instances where a process has executed, providing detailed logs of each execution, including timestamps and other relevant metadata. This is essential for understanding the behavior and frequency of the process identified by the hash-based indicator of compromise (IOC). Hash Search, while useful, typically identifies instances based on the hash value alone and may not provide the extensive historical execution data needed for a thorough analysis of process activities.
D should be correct
I believe d is correct
D is correct because hash search shows first time seen
D. Hash search will look for the hash and any related process execution.