From 162d577523fac8e5c06b2cc9653fb2cb2d7ea3a6 Mon Sep 17 00:00:00 2001
From: securepeacock <92804416+securepeacock@users.noreply.github.com>
Date: Mon, 11 Apr 2022 13:36:52 -0400
Subject: [PATCH] Update proc_creation_win_susp_network_command.yml

Added route print
---
 .../process_creation/proc_creation_win_susp_network_command.yml  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml
index 446e2a456..6fcd7ac9d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml
@@ -17,6 +17,7 @@ detection:
             - 'arp -a'
             - 'nbtstat -n'
             - 'net config'
+            - 'route print'
     condition: network_cmd
 falsepositives:
     - Administrator, hotline ask to user