New command: `stack-cmdlines` #94

YamatoSecurity · 2024-02-09T23:01:50Z

stack-cmdlines: stack executed command lines

This command basically does this:

cat ../hayabusa/sample.jsonl|jq 'select(.EventID==1 or .EventID==4688) | .Details.Cmdline' -r | sort | uniq -c | sort -rn
1352 n/a
 652 "C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528"
 576 "C:\Program Files\Windows Media Player\wmpnscfg.exe"
 548 \??\C:\Windows\system32\conhost.exe 0xffffffff
 540 "C:\Windows\system32\cscript.exe" /nologo "MonitorKnowledgeDiscovery.vbs"
 492
 428 \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
 406 C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
 340 "C:\Windows\system32\more.com"
 318 "C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524"
...

default output to stdout can be same as above with an option to save to a CSV file.
Also should include 2 options to filter out either Sysmon 1 logs (--ignoreSysmon) or Security 4688 logs (--ignoreSecurity).

The text was updated successfully, but these errors were encountered:

YamatoSecurity added the enhancement New feature or request label Feb 9, 2024

YamatoSecurity added this to the v2.4.0 milestone Feb 9, 2024

YamatoSecurity assigned fukusuket Feb 9, 2024

fukusuket mentioned this issue Feb 11, 2024

feat: add stack-cmdlines #105

Merged

YamatoSecurity closed this as completed in #105 Feb 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New command: `stack-cmdlines` #94

New command: `stack-cmdlines` #94

YamatoSecurity commented Feb 9, 2024

New command: stack-cmdlines #94

New command: stack-cmdlines #94

Comments

YamatoSecurity commented Feb 9, 2024

New command: `stack-cmdlines` #94

New command: `stack-cmdlines` #94