An APT actor is suspected with IOCs including a SHA256 of a malicious DLL, a C2 domain, and rundll32.exe spawning powershell.exe with obfuscated arguments. If Sysmon data is inconsistent and process hashes are unreliable, which approach is best?

When signals are unreliable or incomplete, detection should hinge on stable indicators and scalable rules that can catch activity across multiple data sources. In this scenario, anchoring detections to a reference list of known IOCs (the DLL’s SHA256 and the C2 domain) and tying those to a high-frequency rule gives broad, consistent coverage without relying on brittle process hashes or perfect Sysmon data. Why this approach fits best: a reference list provides a single, centralized source of truth for the IOCs you care about. By linking those indicators to a rule that runs across all telemetry streams (endpoint, network, cloud logs, etc.), you can surface detections whenever any event touches those IOCs, even if process hashes are inconsistent or Sysmon data is incomplete. This method also scales well: as you discover more IOCs, you add them to the reference list and the high-frequency rule automatically benefits from the expanded coverage. It effectively bridges multiple data sources—file creation, network connections to the C2 domain, and script activity—without depending on any single unreliable signal like process relationships or exact hash matches in a noisy environment. The other options rely more on brittle or narrow signals: correlating multiple events with YARA-L requires reliable event data and relationships to be meaningful; a retrohunt focuses on past data and may miss present activity when data is inconsistent; a single-event hash rule is fragile if the hash changes or if telemetry doesn’t capture the hash consistently; and focusing only on rundll32.exe usage misses the broader context of the C2 domain and the malicious DLL.