splApache-2.0from splunk/security_content
Windows AD Domain Controller Audit Policy Disabled
The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml
`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN ("%%8448","%%8450","%%8448, %%8450") OR Changes IN ("Failure removed","Success removed","Success removed, Failure removed")) dest_category="domain_controller"
| replace "%%8448" with "Success removed", "%%8450" with "Failure removed", "%%8448, %%8450" with "Success removed, Failure removed" in AuditPolicyChanges
| eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID)
| stats min(_time) as _time values(host) as dest
BY AuditPolicyChanges SubcategoryGuid
| lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory
| `windows_ad_domain_controller_audit_policy_disabled_filter`