Challenge 09: The Useless Rule
Objective
Discover why reconnaissance commands like whoami, net user, ipconfig /all, and systeminfo are never actually blocked by the EDR.
Scanner Behavior
Rule 3 detects reconnaissance commands and creates a detection result. But look at how the analysis engine calls it:
proc analyzeProcess(info: ProcessInfo, cfg: Config): seq[Detection] =
result = @[]
result.add ruleProcessBlacklist(enriched)
result.add ruleSuspiciousKeywords(enriched)
# WEAKNESS: recon detection runs but result is discarded!
discard ruleReconDetection(enriched)
result.add ruleLsassDump(enriched)
...
Rules
- Execute at least 3 different reconnaissance commands
- Observe the EDR output - are they detected? Are they blocked?
- Explain why Rule 3 is ineffective
Hints
Hint 1
Read the source code carefully. What doesdiscard do in Nim?
Hint 2
discard evaluates the expression but throws away the return value. The detections are never added to the result list.
Hint 3
Note that "whoami" IS in Rule 2'sSuspiciousKeywords list, so it gets caught there. But pure recon commands like "ipconfig /all" or "systeminfo" only match Rule 3, which is discarded.
MostShittyEDR