Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Sigma rule (View on GitHub)
1title: Audit Policy Tampering Via Auditpol
2id: 0a13e132-651d-11eb-ae93-0242ac130002
3related:
4 - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol
5 type: similar
6status: test
7description: |
8 Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
9 This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
10references:
11 - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
12author: Janantha Marasinghe (https://github.com/blueteam0ps)
13date: 2021/02/02
14modified: 2023/02/22
15tags:
16 - attack.defense_evasion
17 - attack.t1562.002
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\auditpol.exe'
24 - OriginalFileName: 'AUDITPOL.EXE'
25 selection_cli:
26 CommandLine|contains:
27 - 'disable' # disables a specific audit policy
28 - 'clear' # delete or clears audit policy
29 - 'remove' # removes an audit policy
30 - 'restore' # restores an audit policy
31 condition: all of selection_*
32falsepositives:
33 - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored
34level: high
References
Related rules
- Audit Policy Tampering Via NT Resource Kit Auditpol
- Sysmon Driver Unloaded Via Fltmc.EXE
- Potential Persistence Via Event Viewer Events.asp
- OilRig APT Registry Persistence
- Uninstall Crowdstrike Falcon Sensor