Techniques
Sample rules
Audit Policy Tampering Via Auditpol
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- disable
- clear
- remove
- restore
selection_img:
- Image|endswith: \auditpol.exe
- OriginalFileName: AUDITPOL.EXE