Command-line Auditing on Windows: Why You Need It!

Auditing Process Creations

The event ID, 4688, is widely recognized on Windows operating systems for “Process Creation”.

Enabling “Process Creation” auditing via the “Local Security Policy”

Now that you’re done enabling process auditing for your system — it’s time to monitor what sort of data it logs.

Process Creation Log with Command Line
Command line logging shows the command “vssadmin list shadows” being executed
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4688
} | Select-Object TimeCreated,@{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={ $_.Properties[8].Value }}

Commands Mostly Abused by Attackers

Initial Investigation

Credits: JPCERT

Reconnaissance

Credits: JPCERT

Spread of Infection

Credits: JPCERT

Restricting Execution of Blacklisted Commands

AppLocker Configuration

Applying a path-based rule to ‘whoami.exe’

Conclusion

--

--

--

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Windows 11 TPM 2.0 requirement leaves many virtual machines out in the cold

Windows 11 TPM 2.0 requirement leaves many virtual machines out in the cold

Git as Cryptographically Tamperproof File Archive using Chained RFC3161 Timestamps

10 Reasons Why Online Advertising is Broken

Rings, Stealth and Monero awesomeness

ProBit Exchange Lists Master Coin Point (MACPO)

FAQ: Prove‘s Planned Service Upgrade

Dreams Quest — The First Quest: IDO & IGO Events

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

More from Medium

Offensive Security Proving Grounds Walk Through “Bottleneck”

picoCTF — logon

LinkedIn Phishing Slink Attack

OSINT: Do I have to Capture The Flag(CTF)? Pt1.

A simple flag laying on wood. Chosen to represent the simple CTF we are creating but also it’s a flag and that seemed like a good leading image given the title of the article.