Getting Data In

How to monitor privileged commands in Windows?

Builder

Meow~!
How to monitor privileged commands in Windows?
For example, in Linux I can by AuditD but what about Windows?
alt text

Labels (1)
0 Karma
1 Solution

Ultra Champion

Windows has an auditing framework, but it’s verry different to Linux. The fact that it easier to do more damage with a mouse rather than the command line, is just one of the issues with recording “commands”

With that said, the framework is extremely flexible, if sometimes a little verbose.

Many users find that configuring the windows audit policy to catch all the relevant events, and using the Splunk forwarder to filter out the “noise” with black and white lists the most flexible approach.

Take a look here for an overview of howto and recommended basic audit policies.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-po...

Check out the docs for inputs.conf on black/whitelisting.

View solution in original post

Ultra Champion

Windows has an auditing framework, but it’s verry different to Linux. The fact that it easier to do more damage with a mouse rather than the command line, is just one of the issues with recording “commands”

With that said, the framework is extremely flexible, if sometimes a little verbose.

Many users find that configuring the windows audit policy to catch all the relevant events, and using the Splunk forwarder to filter out the “noise” with black and white lists the most flexible approach.

Take a look here for an overview of howto and recommended basic audit policies.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-po...

Check out the docs for inputs.conf on black/whitelisting.

View solution in original post

New Member

I do not believe this is an applicable "answer". The question looks like it's in reference to NIST control number UA-6(8) which requires auditing of COMMANDS (as in typed commands in command prompt or power shell). The link this answer provides is the general auditing of EVENTS that can be turned on/off via group policy. What we are looking for the the ability to audit actual command line actions being entered. I heard rumor of this being a registry setting that can be changed to add commands to windows auditing. But haven't been able to find specifics

0 Karma

SplunkTrust
SplunkTrust

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

how about this? there
is a pdf, but I forget where it is.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!