Detect built-in cmd commands #33
Comments
|
Sadly it can not. That would be possible if it where implemented as a transcript feature inside of cmd.exe similar to what PS has
|
|
If I run these commands from PS, would Sysmon detect? |
|
Unless they are as part of the start of the process as a command line parameter it can not. In the case of PS you would need to configure transcription via the registry or GPO. Collection would be having the transcripts sent to a share
|
|
I have enabled script block logging and even if I execute echo from PS (Without it being part of command line parameter), Windows event captures it under event id 4104. Can't sysmon detect this? |
|
Scriptblock login is not the same as transcript. https://4sysops.com/archives/powershell-transcript-record-a-session-to-a-text-file/
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How Can sysmon detect execution of built in cmd commands such as echo, mkdir, del etc.?
The text was updated successfully, but these errors were encountered: