CIS Safeguard 8.8: Collect Command-Line Audit Logs

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

In Star Wars: A New Hope (1977), when Han Solo is asked how he’ll evade Imperial forces, he doesn’t talk about grand strategy—he talks about what he’ll do at the controls of the Millennium Falcon. The outcome of the chase depends not on intent, but on the specific actions taken in the cockpit.

In cybersecurity, command-line activity is that cockpit. CIS Safeguard 8.8 recognizes that when attackers gain access to systems, the truth of what they’re doing is revealed not in high-level alerts, but in the exact commands they execute.

What Is CIS Safeguard 8.8?

CIS Safeguard 8.8: Collect Command-Line Audit Logs is part of CIS Critical Security Control 8 – Audit Log Management. The safeguard calls for organizations to:

• Collect logs of command-line execution
• Include full command arguments, not just process names
• Centralize and retain these logs for detection and investigation

The goal is simple but powerful:

If a command was run, defenders should be able to see what, where, when, and by whom.

Why Command-Line Logs Are High-Value Telemetry

Modern attackers overwhelmingly rely on living-off-the-land techniques. Instead of dropping obvious malware, they use built-in tools:

• PowerShell
• Windows Command Prompt
• Bash, Zsh, and other Unix shells
• Native utilities like curl, wget, netsh, wmic, or sudo

From a process perspective, these tools look legitimate. From a command-line perspective, they often look anything but.

Command-line logs provide:

• Intent (what the attacker was trying to do)
• Scope (how much they accessed or changed)
• Sequence (the order of operations)

In The Social Network (2010), the pivotal moments aren’t the flashy lawsuits—they’re the scenes where lines of code are typed late at night. That’s where outcomes are decided. The same is true in security incidents.

Threats Exposed by Command-Line Logging

Safeguard 8.8 directly supports detection across multiple attack stages.

1. Initial Access and Reconnaissance

Attackers often start with discovery commands such as:

• whoami, id
• ipconfig, ifconfig
• net user, net group
• ls, dir

Command-line logs show what the attacker learned about your environment, not just that a shell was opened.

2. Privilege Escalation

Suspicious command patterns can reveal escalation attempts:

• Abuse of sudo or runas
• Registry modifications
• Permission changes (chmod, chown)
• Exploitation of misconfigured services

Without command-line arguments, these actions often blend into normal administrative noise.

3. Lateral Movement

Attackers frequently pivot using:

• Remote execution tools
• Scripted authentication attempts
• Built-in remote management commands

Command-line logs capture:

• Target systems
• Credentials or tokens used
• Tools leveraged for movement

This helps responders reconstruct how the attacker moved, not just where they ended up.

4. Persistence and Defense Evasion

Persistence often shows up clearly in commands:

• Scheduled tasks or cron jobs
• Startup scripts
• Service creation
• Log clearing attempts

If an attacker types wevtutil cl Security or modifies log settings, command-line auditing ensures the attempt itself is recorded.

What Should Be Logged?

To align with CIS Safeguard 8.8, command-line audit logs should include:

• Timestamp
• User account
• Host or device identifier
• Process name
• Full command-line string (including arguments)
• Execution result (where available)

For Windows environments, this often means enhanced process creation logging. For Linux and macOS, shell auditing and process accounting are key.

Just logging the executable name (for example, powershell.exe) is not sufficient. The arguments are where intent lives.

Centralization and Retention Are Critical

Command-line logs are most valuable when:

• Centralized in a SIEM or log platform
• Correlated with authentication, endpoint, and network logs
• Retained long enough to investigate delayed detection

Many incidents are discovered only after suspicious behavior is noticed elsewhere. Historical command-line logs often become the primary source for answering:

• What did the attacker actually do?
• What systems were affected?
• What needs to be remediated?

How Safeguard 8.8 Complements Other Logging Controls

Command-line logging works best in combination with other safeguards in Control 8:

• Safeguard 8.6 (DNS Query Logs):
  See where systems tried to communicate.
• Safeguard 8.7 (URL Request Logs):
  See what web resources were accessed.
• Safeguard 8.8 (Command-Line Logs):
  See the exact instructions given to the system.

In Apollo 13 (1995), mission control doesn’t rely on a single data feed. They correlate telemetry, voice logs, and system readouts. Effective detection works the same way.

Practical Implementation Tips

To operationalize Safeguard 8.8 effectively:

1. Log More Than Admins
   Attackers often compromise standard user accounts first.
2. Protect Sensitive Data Thoughtfully
   Mask secrets in arguments where possible, but preserve structure and behavior.
3. Baseline Normal Usage
   Developers, IT staff, and automation will explain much of your command-line activity.
4. Alert on Behavior, Not Tools
   Focus on patterns like:
• Encoded or obfuscated commands
• Unusual parent-child process relationships
• Administrative commands run by non-admin users

Final Thoughts

CIS Safeguard 8.8 exists because attackers ultimately have to type something. Even the most sophisticated intrusion relies on commands executed in sequence, with purpose.

Command-line audit logs turn those keystrokes into evidence.

Defenders who collect and analyze command-line logs don’t just know that something happened—they know how it happened, why it worked, and what to fix next.

In incident response, that level of clarity is often the difference between containment and confusion.

Resources

Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:

Looking for even more details? Here you go. If this still doesn’t satisfy your curiosity, DM me.

CIS Control 8 – Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

CIS Safeguard 8.8: Collect Command-Line Audit Logs

Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.

Shameless Marketing Information

Gotham Technology Group offers a Security Operations Center as a Service (SOCaaS) powered by Arctic Wolf Networks.  Our team will work alongside your team to support and mature your security operations.