This detection rule targets the IcedID malware's behavior related to executing discovery commands post-infection. IcedID has been known to leverage various system commands that provide vital information about the system environment, including network settings, domain information, and available shared resources. The focus of this detection is on identifying specific executables like `net.exe`, `ipconfig.exe`, `nltest.exe`, and `systeminfo.exe`, which are commonly utilized for discovery purposes. By monitoring these processes through Windows event logs, the rule aims to detect unauthorized or suspicious activities indicative of IcedID's operation. It analyzes process creation events (Event Code 4688) to uncover whether these commands are being executed by an unexpected user or at an unusual time frame, which may signal a compromised host. Such detections can be critical for incident response and forensic investigations, aiding teams in identifying the presence of IcedID malware and addressing potential breaches swiftly.