Meow~!
How to monitor privileged commands in Windows?
For example, in Linux I can by AuditD but what about Windows?
Windows has an auditing framework, but it’s verry different to Linux. The fact that it easier to do more damage with a mouse rather than the command line, is just one of the issues with recording “commands”
With that said, the framework is extremely flexible, if sometimes a little verbose.
Many users find that configuring the windows audit policy to catch all the relevant events, and using the Splunk forwarder to filter out the “noise” with black and white lists the most flexible approach.
Take a look here for an overview of howto and recommended basic audit policies.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-po...
Check out the docs for inputs.conf on black/whitelisting.
There are a couple things that need to be performed to Audit Command given in a CLI for Windows:
one, follow the below instructions to add Command Line auditing to process execution:
We are looking to satisfy the narratives for AU-3(1) and AU-6(8) which specifically talk about capturing full-text of privileged commands. Linux is easy, monitor each user’s .history file.
Windows is a little more annoying:
Now to address what if a user uses Powershell instead of widows CMD.
See the following Articles:
How to Use PowerShell Transcription Logs in Splunk - Hurricane Labs
Solved: How to monitor Powershell Command Line history? - Splunk Community
Once you have the data you can search for EventID 4688 for all objects run using administrator Accounts and grab the command line information.
PowerShell is a slightly different beast still but Looking through the data you will find ways to identify Get Commands and Set commands.
Karma is appreciated if this helps
Windows has an auditing framework, but it’s verry different to Linux. The fact that it easier to do more damage with a mouse rather than the command line, is just one of the issues with recording “commands”
With that said, the framework is extremely flexible, if sometimes a little verbose.
Many users find that configuring the windows audit policy to catch all the relevant events, and using the Splunk forwarder to filter out the “noise” with black and white lists the most flexible approach.
Take a look here for an overview of howto and recommended basic audit policies.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-po...
Check out the docs for inputs.conf on black/whitelisting.
I do not believe this is an applicable "answer". The question looks like it's in reference to NIST control number UA-6(8) which requires auditing of COMMANDS (as in typed commands in command prompt or power shell). The link this answer provides is the general auditing of EVENTS that can be turned on/off via group policy. What we are looking for the the ability to audit actual command line actions being entered. I heard rumor of this being a registry setting that can be changed to add commands to windows auditing. But haven't been able to find specifics
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
how about this? there
is a pdf, but I forget where it is.