Masking

To pass a backslash in an argument of the Smart Monitor Language (hereinafter - SML) command, it is necessary to escape the backslash by using a double backslash (\\) in the search query.

source sysmon_operational
| search command_line="C:\\Windows\\cmd.exe dir /s c:\\ProgramFiles >> files.txt"

warning

To search by exact match, the field must be of type keyword. If the field is of the text type, which is used by default when indexing data, then you must explicitly specify the keyword type when searching.

source sysmon_operational
| search command_line.keyword="C:\\Windows\\cmd.exe dir /s c:\\ProgramFiles >> files.txt"

More information about field types, see article.