I recently shared a command on Twitter and asked folks if they thought this was something fishy. I want to take this opportunity to walk you through the steps that a threat hunter takes in day-to-day operations. This includes formulating a hypothesis, developing a query, and conducting an investigation.
Below is the poll I shared on Twitter and the final results that show the majority of people who thought this activity was malicious.
The command:"cmd.exe" /d /c "C:\Users\<user>\AppData\Roaming\cmk.exe /d /c whoami"
In the comments, most people shared that the command and the surrounding context could be malicious and warranted a closer look. Although I wrote up a detailed response highlighting the steps I took to investigate this, I decided to document everything through a blog post so everyone could use it as a reference, as not everyone has a Twitter account.
