What is the procedure for recording cmd.exe's native commands in Sysmon or Windows Event Logs?

edit

There are a few different ways to record cmd.exe's native commands in Sysmon or Windows Event Logs, but one general approach could be:

1. Install and configure Sysmon on the Windows system(s) where you want to monitor cmd.exe activity. Sysmon is a free tool from Microsoft that provides advanced system monitoring capabilities, including process creation events, file events, network events, and more.

2. Enable the process creation event logging in Sysmon, either by adding a configuration file or by using the command line tool. For example, you could create a Sysmon configuration file (e.g., sysmon-config.xml) with the following contents:

<Sysmon schemaversion="4.50">
  <EventFiltering>
    <ProcessCreate onmatch="include">
      <CommandLine condition="contains">cmd.exe</CommandLine>
    </ProcessCreate>
  </EventFiltering>
</Sysmon>

This will instruct Sysmon to capture process creation events for any cmd.exe process launched on the system.

1. Apply the Sysmon configuration by running the following command:

sysmon -c sysmon-config.xml

1. Monitor the Sysmon event logs or Windows Event Logs for the relevant events. You can use event log viewers like Event Viewer or PowerShell to search for events related to cmd.exe process creation, based on the event ID and other details captured by Sysmon. For example, you could use the following PowerShell command to get a list of recent process creation events for cmd.exe:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';Id=1} | Where-Object { $_.Properties[4].Value -match 'cmd.exe' }

This will display the date, time, and other details of each cmd.exe process that was launched and captured by Sysmon. You could also customize the Sysmon configuration to capture additional information about the processes, such as their parent processes, command line arguments, or file hashes.

Note that recording cmd.exe's native commands in Sysmon or Event Logs may generate a large volume of log data, depending on the system activity and usage patterns. You should also ensure that the monitoring process and data storage comply with any relevant security policies and regulations.