SysmonCommunityGuide icon indicating copy to clipboard operation
SysmonCommunityGuide copied to clipboard
verified publisher icon trustedsec

Detect built-in cmd commands

Open explorer125 opened this issue 2 years ago • 5 comments

How Can sysmon detect execution of built in cmd commands such as echo, mkdir, del etc.?

explorer125 avatar Mar 30 '23 09:03 explorer125

Sadly it can not. That would be possible if it where implemented as a transcript feature inside of cmd.exe similar to what PS has

darkoperator avatar Mar 30 '23 09:03 darkoperator

If I run these commands from PS, would Sysmon detect?

explorer125 avatar Mar 30 '23 10:03 explorer125

Unless they are as part of the start of the process as a command line parameter it can not. In the case of PS you would need to configure transcription via the registry or GPO. Collection would be having the transcripts sent to a share

darkoperator avatar Mar 30 '23 10:03 darkoperator

I have enabled script block logging and even if I execute echo from PS (Without it being part of command line parameter), Windows event captures it under event id 4104. Can't sysmon detect this?

explorer125 avatar Mar 30 '23 17:03 explorer125

Scriptblock login is not the same as transcript. https://4sysops.com/archives/powershell-transcript-record-a-session-to-a-text-file/

darkoperator avatar Mar 30 '23 19:03 darkoperator