Audit Policy Tampering Via NT Resource Kit Auditpol

calendar Mar 13, 2023 · attack.defense_evasion attack.t1562.002  ·
Share on: linkedin copy

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Sigma rule (View on GitHub)

 1title: Audit Policy Tampering Via NT Resource Kit Auditpol
 2id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
 3related:
 4    - id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version
 5      type: similar
 6status: test
 7description: |
 8    Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
 9    This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.    
10references:
11    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2021/12/18
14modified: 2023/02/21
15tags:
16    - attack.defense_evasion
17    - attack.t1562.002
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        CommandLine|contains:
24            - '/logon:none'
25            - '/system:none'
26            - '/sam:none'
27            - '/privilege:none'
28            - '/object:none'
29            - '/process:none'
30            - '/policy:none'
31    condition: selection
32falsepositives:
33    - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure
34level: high

References

Related rules

to-top