Once you are sure that this is the right course of action for your system, enabling command line auditing is very straightforward. A full write up on TechNet can be found here.” The other problem is that by turning on command line auditing, anyone that can read security events could read the contents, and potentially read something sensitive. If you have tools such as ArcSight, Splunk, OMS, or SCOM collecting these events, you’d be wise to do this incrementally to ensure that you aren’t overloading these tools, and I’d add that if you don’t have a plan in place to review and respond to what you find, then you should think about that before you start turning on auditing that won’t be looked at. “ will generate a lot of security events. Nathan Gau wrote a blog post about this where he detailed the following: Note: Take a minute to consider whether you should enable command line auditing before doing so. Enabling Console Window Creation Events to be Recorded
This event is disabled by default, and needs to be turned-on through a Group Policy Object setting before it can be tracked. When Windows launches a new process, an event with ID 4688 is generated.
I had exactly the same experience which led me to investigate, answer that question, and reveal a way to obtain a list of every process that attached itself to a console window!įor some background, a console window (running as ConHost.exe) opens & is attached to a command-line application when executed.
Over to you Craig …Īt some point during any user’s time using Windows, they have probably had a Console Window pop open for a millisecond and then disappear, leaving them to wonder ‘What was that?’.
Ever wonder what was run in that Console window that briefly appeared on your screen? In this guest post, Craig Loewen – our awesome summer intern explains how you can find out what command-line applications run on your machine.
0 kommentar(er)
