How to determine if Windows command line auditing is enabled (osquery)

windows_audit_commandline

Description: Query the windows registry for the existence of the auditing keys. Looking to see if the key ‘ProcessCreationIncludeCmdLine_Enabled’ is enabled.

SQL:

SELECT * FROM registry 
WHERE key='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit';

Operating Systems: Windows Only

Reference:

Leave a Reply 0

Your email address will not be published. Required fields are marked *