Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to monitor privileged commands in Windows?

test_qweqwe
Builder
‎01-25-2018 10:14 AM

Meow~!
How to monitor privileged commands in Windows?
For example, in Linux I can by AuditD but what about Windows?
alt text

Labels (1)
Labels
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-25-2018 12:04 PM

Windows has an auditing framework, but it’s verry different to Linux. The fact that it easier to do more damage with a mouse rather than the command line, is just one of the issues with recording “commands”

With that said, the framework is extremely flexible, if sometimes a little verbose.

Many users find that configuring the windows audit policy to catch all the relevant events, and using the Splunk forwarder to filter out the “noise” with black and white lists the most flexible approach.

Take a look here for an overview of howto and recommended basic audit policies.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-po...

Check out the docs for inputs.conf on black/whitelisting.

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution

Funderburg78
Path Finder
‎06-23-2022 12:26 PM

There are a couple things that need to be performed to Audit Command given in a CLI for Windows:

one, follow the below instructions to add Command Line auditing to process execution:

We are looking to satisfy the narratives for AU-3(1) and AU-6(8) which specifically talk about capturing full-text of privileged commands. Linux is easy, monitor each user’s .history file.

Windows is a little more annoying:

https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/wmf/whats-new/script-loggin...

https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-windows-comm...

Now to address what if a user uses Powershell instead of widows CMD.  

See the following Articles:

How to Use PowerShell Transcription Logs in Splunk - Hurricane Labs

Solved: How to monitor Powershell Command Line history? - Splunk Community

Once you have the data you can search for EventID 4688 for all objects run using administrator Accounts and grab the command line information.  

PowerShell is a slightly different beast still but Looking through the data you will find ways to identify Get Commands and Set commands.

 

Karma is appreciated if this helps

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-25-2018 12:04 PM

Windows has an auditing framework, but it’s verry different to Linux. The fact that it easier to do more damage with a mouse rather than the command line, is just one of the issues with recording “commands”

With that said, the framework is extremely flexible, if sometimes a little verbose.

Many users find that configuring the windows audit policy to catch all the relevant events, and using the Splunk forwarder to filter out the “noise” with black and white lists the most flexible approach.

Take a look here for an overview of howto and recommended basic audit policies.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-po...

Check out the docs for inputs.conf on black/whitelisting.

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

durzoblint
New Member
‎01-14-2020 11:39 AM

I do not believe this is an applicable "answer". The question looks like it's in reference to NIST control number UA-6(8) which requires auditing of COMMANDS (as in typed commands in command prompt or power shell). The link this answer provides is the general auditing of EVENTS that can be turned on/off via group policy. What we are looking for the the ability to audit actual command line actions being entered. I heard rumor of this being a registry setting that can be changed to add commands to windows auditing. But haven't been able to find specifics

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-14-2020 01:45 PM

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

how about this? there
is a pdf, but I forget where it is.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...