Audit-Policy

Attackers may use auditpol.exe with the /restore argument to replace the existing audit policy with a malicious one, disabling auditing to evade detection, potentially leading to full machine compromise or lateral movement.

Detection of disabled important audit policies via Windows EventCode 4719, indicating potential attacker attempts to evade detection on a compromised domain controller, leading to data theft, privilege escalation, and network compromise.