Here I showcase how you can use an awesome tool from Kahu Security called CMD Watcher; which watches for where cmd.exe is invoked, suspends the process, extracts the command line and then kills the process.

I show you how to use this awesome tool to help analyse a malicious .doc file which is designed to download Emotet malware. The macros are designed to invoke cmd.exe to further invoke PowerShell, and CMD Watcher makes it super easy to grab the command line without further infection giving you time to perform additional analysis.

This is a great tool to have in your arsenal as a malware analyst. Many thanks for @campuscodi for sharing and for Kahu Security for developing.

Key Links:
https://twitter.com/campuscodi/status...
http://www.kahusecurity.com/tools.html

Python Script:
https://pastebin.com/W2vqY0uq

CyberChef Recipe:
https://gchq.github.io/CyberChef/#rec...)