Are PS1 or CMD commands recorded?
197 views
Skip to first unread message
Kris Springer
Oct 21, 2021, 12:26:14 PM10/21/21
to Wazuh mailing list
I'm spending quite a bit of time Hunting for things and finding amazing results, but I'm wondering if Wazuh records the actual commands that are run in Powershell or CMD terminals? I can Hunt for and see a cmd.exe processes ran, but I'm not seeing what command was actually entered. Is there a way to track and view that?
Hanes Nahuel Sciarrone
Oct 21, 2021, 4:48:39 PM10/21/21
to Wazuh mailing list
Hi Kris Springer,
Thank you for using wazuh and sharing your question with the community. Wazuh has a functionality that allows you to get the output command with a custom rule if you create it. I'll share you the link that explains how it works. Please, you should follow these steps to use the feature:
I hope that this information will be useful for your purpose.
Best regards
Hanes
Thank you for using wazuh and sharing your question with the community. Wazuh has a functionality that allows you to get the output command with a custom rule if you create it. I'll share you the link that explains how it works. Please, you should follow these steps to use the feature:
- Set the logcollector.remote_command flag to 1 in local_internal_options.conf file.
- Add the localfile section in ossec.conf or agent.conf depending on whether you want to share the configuration with a group of agents or configure it for a specific agent.
- Create a rule to receive the alert in the manager.
I send you the link to the documentation of the configuration, there are interesting examples about command monitoring.
I hope that this information will be useful for your purpose.
Best regards
Hanes
Peter Santiago
Oct 23, 2021, 8:46:11 PM10/23/21
to Hanes Nahuel Sciarrone, Wazuh mailing list
I think this is the one you are looking for:
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6451e01a-8f95-48d0-847a-9b1ea835b8bbn%40googlegroups.com.
Kris Springer
Oct 28, 2021, 11:13:41 AM10/28/21
to Wazuh mailing list
Thanks. I've got it working now. I wasn't aware that I had to install Sysmon on the endpoint. Once I did that and then told the Wazuh agent config to look for sysmon logs, all works fine.
Now I've got lots of noise to comb through. I just installed sysmon as default with no custom config. I'm assuming that the Blacksmith sysmon.xml custom config will help me filter out all the noise?
Reply all
Reply to author
Forward
0 new messages