What are the forensic artifacts the cmd.exe produce?
I know the powershell create a lot more itens in windows event (like, the entire script you run, when you start a powershell session, etc...). Is the cmd.exe a kind of stealthy way to execute code?
cmd.exe forensic?
Moderator: DosItHelp
-
pieh-ejdsch
- Posts: 240
- Joined: 04 Mar 2014 11:14
- Location: germany
Re: cmd.exe forensic?
Hi rodrigo.brasil,
Cmd.exe is an extended version of command.com. A command line interpreter.
A *.bat is evaluated by command.com. Cmd.exe evaluates *.bat and *.cmd.
Cmd.exe opened as a command line loads an instance into memory. If a process is started in the command line, cmd.exe starts a subordinate process.
The PID can be used to search for associated/superordinate processes.
The expression; can also be used to search for the started command line in order to determine a unique identification of the start process.
The topics have already been discussed in the forum.
An attempt can be made to disguise the names of the processes to be started. But the process manager (Explorer) shows it.
Phil
Cmd.exe is an extended version of command.com. A command line interpreter.
A *.bat is evaluated by command.com. Cmd.exe evaluates *.bat and *.cmd.
Cmd.exe opened as a command line loads an instance into memory. If a process is started in the command line, cmd.exe starts a subordinate process.
The PID can be used to search for associated/superordinate processes.
The expression; can also be used to search for the started command line in order to determine a unique identification of the start process.
The topics have already been discussed in the forum.
An attempt can be made to disguise the names of the processes to be started. But the process manager (Explorer) shows it.
Phil