SC-200 Perform threat hunting • Set 18
SC-200 Perform threat hunting Practice Test 18 — 15 questions with explanations. Free, no signup.
Refer to the exhibit. The KQL query is used in a threat hunting campaign. Which of the following best describes the hunting activity this query is designed to detect?
{
"query": "DeviceProcessEvents | where ProcessCommandLine contains '\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"' and InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'outlook.exe') | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine"
}