This will dump the cmd.exe history to the file cmd.log every time the user closes the session with "exit" (but not by closing the windows!) doskey exit=doskey /h $g$g "%USERPROFILE%\cmd.log"$t exit $* %windir%\system32\cmd.exe /k c:\scripts\cmdhist.bat To achieve this, cmd.exe can be executed from a shortcut like this: The first idea is to re-use the doskey command and create macro that will dump the commands when the user exits cmd.exe. How to get an "real time" history of the commands? This plugin scans for CONSOLE_INFORMATION and prints the entire screen buffer (including input and output - the type commands and results). But to use volatility, we need to make a copy of the target system image, this can be slow, difficult to perform. OriginalTitle: %SystemRoot%\system32\cmd.exeĪttachedProcess: cmd.exe Pid: 7308 Handle: 0圆cĬommandHistory: 0x39eab0 Application: cmd.exe Flags: Allocated, ResetĬommandCount: 42 LastAdded: 41 LastDisplayed: 41 HistoryBufferCount: 1 HistoryBufferMax: 4 Hopefully, volatility has a module which helps to extract this kind of information from a memory image: Nothing! After some Google searches, I found a paper written in 2010 which explains how command history is managed into the computer memory. The command doskey (this will maybe remind the good old times of MS-DOS to some of you) is still available and can be used to display the current history in the current cmd.exe:īut how to get the history? My first idea was to check into the process memory:Ĭ:\> procdump.exe -accepteula -ma cmd.exe cmd.dumpĪnd then search for interesting strings. When the process is running, it is possible to use the in-memory history to scroll across the previously executed commands but this is not persistent. In fact, the memory analysis is covered in the training FOR508. To make thinks clear, the good old cmd.exe does not provide any logging facilities at all. The training was great and covered many ways to collect artifact in a Microsoft Windows environment but there was nothing about the Windows command line ("cmd.exe" or "powershell.exe") which are common tools used by attackers or insiders. reg file to your desktop or even better than your save this file to your (bestfriend) pendrive.įrom now you have an universal and standard configuration and you do not need to do anything else on a computer only double click on this registry key.ĭo not forget restart your (windows) machine.A few weeks ago, I wrote a diary about forensics and the bash UNIX shell and last week, I attended the training FOR408 ("Windows Forensics Analysis") in Amsterdam. Press a right click on this specific key: HKEY_CURRENT_USER\Console and choose Export… option. HKEY_CURRENT_USER\Console\Windows PowerShell If you use the (Windows 7 and Windows 2008) Quick Search textarea (Run is default disabled on Windows 7) and you type cmd or powershell you are going to get a shourtcut which is not using your pre-configurded settings.īecause of this I recommend to configure your prompts all the possible way and than export the Console key. Of course you are going to get the correctly pre-configured prompts (in both cases) Try this: Start Menu -> Run -> cmd.exe Or Start Menu -> Run -> powershell.exe In this case you are going to find a different entry in the registry. If you click a right on this you will have opportunity to configure the prompt directly. Namely after the first use for instance of the command prompt or powershell prompt you are giong to get a shortcut icon in your start menu. Unfortunatelly this configuration procedure totally can be owerwritten by a shourtcut icon. HKEY_CURRENT_USER\Console\%SystemRoot%_system32_WindowsPowerShell_v1.0_powershell.exe HKEY_CURRENT_USER\Console\%SystemRoot%_System32_cmd.exe Open the Prompt %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Open the Prompt: %SystemRoot%\Windows\System32\cmd.exeĬonfigure your Prompt (see the attached picture) The good news is that there is a solution (fortunately there is always a solution). I know this is not a big effort but I even do not want to sacrifice this so little time to configure it. I do not know who does or who does not do but I am always changing the look of my command prompt and powershell prompt.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |