Hi, I was wondering using the activity history user object , is it possible to write some relevance based on a users activity on a system?
For example, someone gets in and starts running the standard SANS 560 windows commands –
net share
net start
echo ^<?php echo passthru($_GET[‘cmd’]); ?^> > C:\inetpub\wwwroot\s.php
I’m not familiar with the activity history user object. How do you access the users activity data? If it can be dumped to a file or reg key, then we can write relevance to look for certain activity. Typically this type of data is very large, though, so trying to parse this data via relevance is probably not the most efficient approach. If you can filter the data down via a script or other process, then it is reasonable to check for the existence of the resulting filtered data via relevance, since it would be much less expensive.
Yeah kind of wishful thinking, not sure if I could do something in powershell or not, still too much of a newbie.
I found out that command line history in windows doesn’t get stored anywhere.
I appreciate the response though Steve, thanks!!!