DosTips.com

A Forum all about DOS Batch
https://www.dostips.com/forum/

cmd.exe forensic?

https://www.dostips.com/forum/viewtopic.php?f=3&t=10949

Page 1 of 1

cmd.exe forensic?

Posted: 23 Nov 2023 07:14
by rodrigo.brasil
What are the forensic artifacts the cmd.exe produce?

I know the powershell create a lot more itens in windows event (like, the entire script you run, when you start a powershell session, etc...). Is the cmd.exe a kind of stealthy way to execute code?

Re: cmd.exe forensic?

Posted: 25 Nov 2023 11:45
by pieh-ejdsch
Hi rodrigo.brasil,

Cmd.exe is an extended version of command.com. A command line interpreter.
A *.bat is evaluated by command.com. Cmd.exe evaluates *.bat and *.cmd.
Cmd.exe opened as a command line loads an instance into memory. If a process is started in the command line, cmd.exe starts a subordinate process.

The PID can be used to search for associated/superordinate processes.
The expression; can also be used to search for the started command line in order to determine a unique identification of the start process.

The topics have already been discussed in the forum.

An attempt can be made to disguise the names of the processes to be started. But the process manager (Explorer) shows it.


Phil
All times are UTC-06:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/