Hello, I've been working on this rule for some time now, and it is only partially working.
I am able to see the net.exe related alerts populate, and used to see 'systeminfo', 'hostname', 'nslookup', now i do not.
I can not get the 'ipconfig /all', 'wmic process list full', 'netstat -an', 'route print', or 'route point' arguments.
Here is my EQL rule:
'''
process where event.type in ("start", "process_started") and
(
(process.command_line : "route print" or
process.args : "hostname" or
process.args : "ver" or
process.args : "systeminfo*" or
process.args : "ipconfig /all" or
process.args : "netstat -an" or
process.command_line : "route point" or
process.args : "nslookup" or
process.command_line : "wmic process list full" or
process.name : "net.exe" or process.name : "net1.exe") and
(
process.args : "users" or
process.command_line : "localgroup" or
process.command_line : "group /domain"
)
)
'''
Any help is appreciated!
