Windows Audit Policy Exclusion via Auditpol

This detection identifies the use of auditpol.exe to modify Windows audit policies in a way that excludes specific user events. Threat actors or red teams may use this technique to suppress audit logging for their actions, making it more difficult to detect malicious activity. The auditpol.exe utility, when used with the /set and /exclude parameters, can alter per-user audit policies, overriding system-level settings and effectively creating blind spots for security monitoring. This can be used to mask actions related to lateral movement, credential access, or other malicious objectives. This technique was observed in the Solorigate campaign, where adversaries used it to further evade detection.

Attack Chain

1. The attacker gains initial access to the system, potentially through compromised credentials or exploitation of a vulnerability.
2. The attacker elevates privileges to an administrator level, required to modify audit policies.
3. The attacker executes auditpol.exe with the /set and /exclude parameters.
4. The command specifies the user account(s) for which audit logging will be suppressed.
5. Specific audit categories, such as logon/logoff events or process creation, are excluded from the targeted user’s audit logs.
6. The system’s audit policy is modified to ignore events generated by the specified user(s) within the excluded categories.
7. The attacker performs malicious activities, such as lateral movement or data exfiltration, under the context of the targeted user account.
8. These actions are not logged in the security event logs, hindering detection and forensic analysis.

Impact

Successful execution of this attack can lead to a significant reduction in audit visibility, allowing adversaries to operate undetected within the compromised environment. This can facilitate further malicious activities, such as data theft, installation of malware, or disruption of services. The potential victim count is dependent on the scope of the initial compromise and the attacker’s objectives. Sectors that rely heavily on Windows-based systems, such as government, finance, and healthcare, are particularly vulnerable.

Recommendation

• Deploy the Sigma rule Detect Auditpol Exclude Category to your SIEM to identify instances of auditpol.exe being used to exclude audit categories, and tune for your environment.
• Enable Sysmon process creation logging (Event ID 1) and Windows Security Event Log (4688) to ensure the necessary data is available for detection.
• Investigate any instances of auditpol.exe being used with the /set and /exclude parameters, especially if the process is not initiated by a known and authorized administrator.
• Monitor command-line arguments of auditpol.exe for suspicious usage patterns via the Sigma rule Auditpol with Set and Exclude Arguments.