Command Line Capture¶
Since version 5.5, Staffcop Enterprise incercepts command-line actions, allowing you to monitor commands and scripts executed by other users or during unauthorized privilege escalation.
Enabling Interception¶
By default, command-line interception is disabled. To enable it:
Go to Control Panel → Computer Configurations → Your Configuration → Keyboard and Clipboard.
Turn on the Command Input Control option.
Save your changes.
Viewing Events¶
Once interception is enabled, the agent creates an event called Command Input Terminal when:
A command is executed
A script is run from the command line.
To view events:
In the Constructor tab, under Dimension Panel select the Command Input Terminal in Event Type.
Optional. Filter events by selecting an agent, user, or application in Dimension Panel.
Events are displayed in the Lens on the right side of the screen.
The events contains interception details:
The command
The command output
The computer name
The user account
The application used
Local time
The command is displayed in the Event column on the right:

Intercepting a Command on Behalf of Another User¶
A user can run commands on behalf of another user using the following tools:
PsExec — A Sysinternals utility for remotely executing commands with the rights of a different user account.
runas
— A built-in Windows command to run programs using the rights of another user account.
The agent can intercept these commands and generate an event. The event will include the name of the user who initiated the command.
For PsExec, the event will list psexec.exe
, and for runas, it will show the runas
command.