the old auditpol utility isn't available by default on recent versions of windows as it was replaced by a newer version. the fp rate should be very low except for tools that use a similar flag structure

t1562
t1562.002
windows
sigma

Techniques

t1562
t1562.002

Sample rules

Audit Policy Tampering Via NT Resource Kit Auditpol

source: sigma
technicques:
- t1562
- t1562.002

Description

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - /logon:none
  - /system:none
  - /sam:none
  - /privilege:none
  - /object:none
  - /process:none
  - /policy:none