← Back to Explore
sigmahighHunting
Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Detection Query
selection_img:
- Image|endswith: \auditpol.exe
- OriginalFileName: AUDITPOL.EXE
selection_cli:
CommandLine|contains:
- disable
- clear
- remove
- restore
condition: all of selection_*
Author
Janantha Marasinghe (https://github.com/blueteam0ps)
Created
2021-02-02
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.defense-evasionattack.t1562.002
Raw Content
title: Audit Policy Tampering Via Auditpol
id: 0a13e132-651d-11eb-ae93-0242ac130002
related:
- id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol
type: similar
status: test
description: |
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021-02-02
modified: 2023-02-22
tags:
- attack.defense-evasion
- attack.t1562.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\auditpol.exe'
- OriginalFileName: 'AUDITPOL.EXE'
selection_cli:
CommandLine|contains:
- 'disable' # disables a specific audit policy
- 'clear' # delete or clears audit policy
- 'remove' # removes an audit policy
- 'restore' # restores an audit policy
condition: all of selection_*
falsepositives:
- Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored
level: high