sigmaDRL-1.1from SigmaHQ/sigma
Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Quality
82
FP risk
—
Forks
1
Views
1
ATT&CK techniques
Rule sourcerules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml
title: Audit Policy Tampering Via Auditpol
id: 0a13e132-651d-11eb-ae93-0242ac130002
related:
- id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol
type: similar
status: test
description: |
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021-02-02
modified: 2023-02-22
tags:
- attack.defense-evasion
- attack.t1562.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\auditpol.exe'
- OriginalFileName: 'AUDITPOL.EXE'
selection_cli:
CommandLine|contains:
- 'disable' # disables a specific audit policy
- 'clear' # delete or clears audit policy
- 'remove' # removes an audit policy
- 'restore' # restores an audit policy
condition: all of selection_*
falsepositives:
- Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored
level: high