NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY
SI-3(8) — Detect Unauthorized Commands
Detect the following unauthorized operating system commands through the kernel application programming interface on {{ insert: param, si-03.08_odp.02 }}: {{ insert: param, si-03.08_odp.01 }} ; and {{ insert: param, si-03.08_odp.03 }}.
Supplemental Guidance
Detecting unauthorized commands can be applied to critical interfaces other than kernel-based interfaces, including interfaces with virtual machines and privileged applications. Unauthorized operating system commands include commands for kernel functions from system processes that are not trusted to initiate such commands as well as commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands. Organizations can also define hardware components by component type, component, component location in the network, or a combination thereof. Organizations may select different actions for different types, classes, or instances of malicious commands.
Practitioner Notes
Detect unauthorized operating system commands issued to your systems, which could indicate an attacker has gained command-line access.
Example 1: Enable PowerShell Script Block Logging and Module Logging via GPO. Forward these logs to your SIEM and create detection rules for suspicious commands — encoded PowerShell, credential harvesting tools (Mimikatz), or unusual use of certutil, bitsadmin, or net commands.
Example 2: Deploy a host-based IDS (like OSSEC or Wazuh) that monitors command execution on servers. Configure rules to alert on commands commonly used by attackers — whoami, net user, net group, nltest, dsquery — especially when run by non-admin accounts.