Hi Everyone,
I was create my own lab for learning to configure best practice for Windows.
Then i create 1 Windows VM and doing scan in local (127.0.0.1) to get any information like port or something else. But unfortunately when it trigger i can't see anything like the result.
Maybe i need to config something in my Windows or Something ?
What exactly are you trying to achieve and how are you doing that?
What you've shown is an event from Windows Security eventlog which is apparently an audit entry informing you that a process has been spawned on a machine. As far as I remember it doesn't capture command's output.
What exactly are you trying to achieve and how are you doing that?
What you've shown is an event from Windows Security eventlog which is apparently an audit entry informing you that a process has been spawned on a machine. As far as I remember it doesn't capture command's output.
Hmm so if one of endpoint got hacked and someone doing running script we cannot collect information from output in cmd/powershell ?
I'm not aware of any built-in mechanism that allows you to do so. Maybe some external EDR solution captures that but I can't advise any.
I give you karma for this, i forget my client using Palo Alto to detect it.
Hi @zksvc ,
you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.3.2/Forwarding/Aboutforwardingandreceivingdata or https://docs.splunk.com/Documentation/Splunk/9.3.2/Forwarding/Aboutforwardingandreceivingdata
there are also many videos to explain this.
in few words:
enable Splunk to receive logs,
install Unioversal Forwarder on the windows system
install Splunk_TA_Windows on the Universal Forwarder
enable inputs on the Splunk_TA_Windows
Ciao.
Giuseppe