Command Line Capture

Since version 5.5, Staffcop Enterprise incercepts command-line actions, allowing you to monitor commands and scripts executed by other users or during unauthorized privilege escalation.

Enabling Interception

By default, command-line interception is disabled. To enable it:

  1. Go to Control PanelComputer ConfigurationsYour ConfigurationKeyboard and Clipboard.

  2. Turn on the Command Input Control option.

  3. Save your changes.

Viewing Events

Once interception is enabled, the agent creates an event called Command Input Terminal when:

  • A command is executed

  • A script is run from the command line.

To view events:

  1. In the Constructor tab, under Dimension Panel select the Command Input Terminal in Event Type.

  2. Optional. Filter events by selecting an agent, user, or application in Dimension Panel.

  3. Events are displayed in the Lens on the right side of the screen.

The events contains interception details:

  • The command

  • The command output

  • The computer name

  • The user account

  • The application used

  • Local time

The command is displayed in the Event column on the right:

../../_images/command_line_1.png

Intercepting a Command on Behalf of Another User

A user can run commands on behalf of another user using the following tools:

  • PsExec — A Sysinternals utility for remotely executing commands with the rights of a different user account.

  • runas — A built-in Windows command to run programs using the rights of another user account.

The agent can intercept these commands and generate an event. The event will include the name of the user who initiated the command. For PsExec, the event will list psexec.exe, and for runas, it will show the runas command.