Detectionhightest
Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\auditpol.exe'
- OriginalFileName: 'AUDITPOL.EXE'
selection_cli:
CommandLine|contains:
- 'disable' # disables a specific audit policy
- 'clear' # delete or clears audit policy
- 'remove' # removes an audit policy
- 'restore' # restores an audit policy
condition: all of selection_*False Positives
Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
0a13e132-651d-11eb-ae93-0242ac130002
Status
test
Level
high
Type
Detection
Created
Tue Feb 02
Modified
Wed Feb 22
Author
Path
rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml
Raw Tags
attack.defense-evasionattack.t1562.002