Audit Policy Tampering via Auditpol.exe

Rule added on 30th May, 2024

Rule type:

Correlation

Rule description:

Auditpol.exe is a command-line tool by Window which allows administrators to manage and query the audit policy settings.

However, it may be used by attackers to modify or disable audit policies, evade defense mechanisms, and prevent the logging of their malicious activities. This can obstruct alerting security teams of their stealthy presence in their network.

Attack chain scenario: Phishing -> Unauthorized access -> Audit policy tampering via auditpol.exe -> Evasion of detection

Impact:

It can impact the organizations in the following ways:

• Compromised security monitoring
• Increased risks of security breaches
• Operational disruptions

Data source:

Windows > Process Creation

Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactic: TA0005- Defense Evasion

Technique: T1562- Impair Defenses

Sub Technique: T1562.002- Disable Windows Event Logging

Criteria:

( ( Process Name endswith auditpol.exe ) OR ( ORIGINALFILENAME contains "auditpol" ) ) AND ( ( Command Line contains "/disable" ) OR ( Command Line contains "/clear" ) OR ( Command Line contains "/remove" ) OR ( Command Line contains "/restore" ) )

auditpol.exe - Disables the auditing of events such as file access or account logons.

remove - Removes the audit policy settings for a specific category of events completely.

restore - Restores the audit policy settings from backup files.

When to enable this rule:

Enabling this rule will help you meet the security standard's requirement listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when audit policies have been modified or disabled, indicating a potential malicious activity. This enables you to put strict access control measures in place to prevent tampering with audit policies.

Known false positives: This event may be generated by administrators while managing the audit policies.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify if the alert is a new incident or part of an existing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Permissions: Restrict the permissions to change audit policies to only authorized users.