LoFP LoFP / the old auditpol utility isn't available by default on recent versions of windows as it was replaced by a newer version. the fp rate should be very low except for tools that use a similar flag structure

Techniques

Sample rules

Audit Policy Tampering Via NT Resource Kit Auditpol

Description

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - /logon:none
  - /system:none
  - /sam:none
  - /privilege:none
  - /object:none
  - /process:none
  - /policy:none