Techniques
Sample rules
Audit Policy Tampering Via NT Resource Kit Auditpol
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Detection logic
condition: selection
selection:
CommandLine|contains:
- /logon:none
- /system:none
- /sam:none
- /privilege:none
- /object:none
- /process:none
- /policy:none