Challenge 09: The Useless Rule

Easy Command Line Obfuscation Target: Rule 3

Objective

Discover why reconnaissance commands like whoami, net user, ipconfig /all, and systeminfo are never actually blocked by the EDR.

Scanner Behavior

Rule 3 detects reconnaissance commands and creates a detection result. But look at how the analysis engine calls it:

proc analyzeProcess(info: ProcessInfo, cfg: Config): seq[Detection] =
  result = @[]
  result.add ruleProcessBlacklist(enriched)
  result.add ruleSuspiciousKeywords(enriched)

  # WEAKNESS: recon detection runs but result is discarded!
  discard ruleReconDetection(enriched)

  result.add ruleLsassDump(enriched)
  ...

Rules

  • Execute at least 3 different reconnaissance commands
  • Observe the EDR output - are they detected? Are they blocked?
  • Explain why Rule 3 is ineffective

Hints

Hint 1 Read the source code carefully. What does discard do in Nim?
Hint 2 discard evaluates the expression but throws away the return value. The detections are never added to the result list.
Hint 3 Note that "whoami" IS in Rule 2's SuspiciousKeywords list, so it gets caught there. But pure recon commands like "ipconfig /all" or "systeminfo" only match Rule 3, which is discarded.