Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSA advanced Cmd Shell policy

I'm trying to design a Command Shell policy meeting specific criteria. I don't want to just log each time cmd.exe is used. Instead, I want to log each time cmd.exe executes a command that either affects another file (change/delete), or displays important system information (like ipconfig, nbtstat, arp, set, net view, route print, ping, tracert, etc.)

Sound like something I could do?

3 REPLIES
Blue

Re: CSA advanced Cmd Shell policy

Create a rule that logs when the command shell accesses files of any type to write and reads any of the exe's you are concerned with.

New Member

Re: CSA advanced Cmd Shell policy

That's exactly what I did - glad I was on the right track. ;) But any suggestions on the 2nd half?

Blue

Re: CSA advanced Cmd Shell policy

Yes, the second rule should report when a command shell executes a read on any of those files you are concerned with.

Tom S

168
Views
0
Helpful
3
Replies