NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-6(8)Full Text Analysis of Privileged Commands

Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Full text analysis of privileged commands requires a distinct environment for the analysis of audit record information related to privileged users without compromising such information on the system where the users have elevated privileges, including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes the use of pattern matching and heuristics.

Practitioner Notes

Perform full text analysis of privileged commands to detect suspicious activity. It is not enough to know that someone ran a command — you need to see the full command and its arguments.

Example 1: With command-line auditing enabled (Event ID 4688 with command line), create SIEM searches that look for suspicious command patterns: net user /add, mimikatz, Invoke-Mimikatz, reg save HKLM\SAM, and ntdsutil. Alert immediately on any match.

Example 2: With PowerShell script block logging enabled (Event ID 4104), search for suspicious patterns in script content: encoded commands (-EncodedCommand), download cradles (Invoke-WebRequest, DownloadString), and credential access (Get-Credential, ConvertTo-SecureString). These patterns often indicate post-exploitation activity.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component