When using the windows command prompt & executing a cmd.exe built-in command such as copy, del, echo, start, etc, the respective command line string executed does not populate in Sysmon Event ID 1 - Process Creation. The Sysmon Event only outlines the cmd.exe image & the Command Line value is simply cmd, rather than copy foo bar.
My theory is that, when opening a cmd prompt, only the cmd.exe process is executed & further triggers an event for Sysmon Event ID 1 - Process Creation, however, since the following commands that I execute are cmd.exe built-in commands (like the ones mentioned above), there is no actual new process created, meaning no new Sysmon Event ID 1 is created, & therefore the command line value is not captured.
if I run other windows programs such as regedit.exe in the same command prompt, I will trigger a new Sysmon Event ID 1 - Process Creation event that contains the command line string executed, for example regedit foo bar
To further test this theory, I have enabled Windows Security Event Log - 4688, the equivalent of Sysmon Event ID 1 - Process creation, to identify whether my Sysmon configuration is the culprit.
Reviewing Windows Security Event Log - 4688 entries on my endpoint, after testing my problem again, I've identified the same behavior, the command line string value in the Windows Event Log is also blank. Only the entry from the cmd.exe spawned process appears, though no subsequent built-in cmd commands executed are logged. However, like previously mentioned, if I execute a different windows program, like regedit mentioned above, the activity will be captured as a new 4688 event with the respective command string executed.
Does anyone have any solutions to this problem? I am trying to capture, in my logs(Sysmon or Windows Security Event Log), cmd prompt activity, specifically, cmd.exe built-in commands.
CMD.exe built in commands: https://renenyffenegger.ch/notes/Windows/dirs/Windows/System32/cmd_exe/commands/index
