Getting Data In

How to monitor privileged commands in Windows?

test_qweqwe
Builder

Meow~!
How to monitor privileged commands in Windows?
For example, in Linux I can by AuditD but what about Windows?
alt text

Labels (1)
0 Karma
1 Solution

nickhills
Ultra Champion

Windows has an auditing framework, but it’s verry different to Linux. The fact that it easier to do more damage with a mouse rather than the command line, is just one of the issues with recording “commands”

With that said, the framework is extremely flexible, if sometimes a little verbose.

Many users find that configuring the windows audit policy to catch all the relevant events, and using the Splunk forwarder to filter out the “noise” with black and white lists the most flexible approach.

Take a look here for an overview of howto and recommended basic audit policies.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-po...

Check out the docs for inputs.conf on black/whitelisting.

If my comment helps, please give it a thumbs up!

View solution in original post

Funderburg78
Path Finder

There are a couple things that need to be performed to Audit Command given in a CLI for Windows:

one, follow the below instructions to add Command Line auditing to process execution:

We are looking to satisfy the narratives for AU-3(1) and AU-6(8) which specifically talk about capturing full-text of privileged commands. Linux is easy, monitor each user’s .history file.

Windows is a little more annoying:

https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/wmf/whats-new/script-loggin...

https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-windows-comm...

Now to address what if a user uses Powershell instead of widows CMD.  

See the following Articles:

How to Use PowerShell Transcription Logs in Splunk - Hurricane Labs

Solved: How to monitor Powershell Command Line history? - Splunk Community

Once you have the data you can search for EventID 4688 for all objects run using administrator Accounts and grab the command line information.  

PowerShell is a slightly different beast still but Looking through the data you will find ways to identify Get Commands and Set commands.

 

Karma is appreciated if this helps

0 Karma

nickhills
Ultra Champion

Windows has an auditing framework, but it’s verry different to Linux. The fact that it easier to do more damage with a mouse rather than the command line, is just one of the issues with recording “commands”

With that said, the framework is extremely flexible, if sometimes a little verbose.

Many users find that configuring the windows audit policy to catch all the relevant events, and using the Splunk forwarder to filter out the “noise” with black and white lists the most flexible approach.

Take a look here for an overview of howto and recommended basic audit policies.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-po...

Check out the docs for inputs.conf on black/whitelisting.

If my comment helps, please give it a thumbs up!

durzoblint
New Member

I do not believe this is an applicable "answer". The question looks like it's in reference to NIST control number UA-6(8) which requires auditing of COMMANDS (as in typed commands in command prompt or power shell). The link this answer provides is the general auditing of EVENTS that can be turned on/off via group policy. What we are looking for the the ability to audit actual command line actions being entered. I heard rumor of this being a registry setting that can be changed to add commands to windows auditing. But haven't been able to find specifics

0 Karma

to4kawa
Ultra Champion

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

how about this? there
is a pdf, but I forget where it is.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...