{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/audit-policy/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","audit-policy"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable auditing on a system in order to evade detection and forensic analysis. This is often done after initial compromise, to prevent security tools from logging their actions. This rule identifies attempts to disable auditing for specific security-sensitive audit policy sub-categories, providing defenders with insight into potential malicious activity. The rule leverages Windows Security Event Logs and specifically focuses on Event ID 4719, which indicates changes to the audit policy. It aggregates policy changes within 5-minute windows to identify removals of audit policies that are not re-enabled within the same timeframe, reducing false positives from temporary or legitimate policy changes. This detection logic is implemented using ES|QL in Elastic Stack version 9.3.0 and later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates their privileges to gain administrative or system-level access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify the current audit policy settings and determine which sub-categories are enabled.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker executes commands or scripts to disable specific audit policy sub-categories, such as Logon, Audit Policy Change, Process Creation, Other System Events, Security Group Management, and User Account Management, using tools like \u003ccode\u003eauditpol.exe\u003c/code\u003e or modifying Group Policy Objects.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eActivity Execution:\u003c/strong\u003e With auditing disabled, the attacker performs malicious activities without generating relevant security logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence mechanisms to maintain access to the system, such as creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally to other systems on the network, potentially disabling auditing on those systems as well.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Completion:\u003c/strong\u003e The attacker achieves their objective, which could include data theft, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of audit policies can severely impair an organization\u0026rsquo;s ability to detect and respond to security incidents. Without proper logging, malicious activities can go unnoticed, leading to prolonged compromises and increased damage. Disabling auditing can impact incident response efforts, making it difficult to determine the scope and impact of an attack. The risk score associated with this activity is 47, indicating a significant potential impact on security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Policy Change auditing to generate the necessary events for this rule as described in the \u003ca href=\"https://ela.st/audit-policy-change\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect attempts to disable sensitive audit policy sub-categories. Tune the rule as necessary based on your environment and baseline activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the audit policy changes and identify potential malicious activity.\u003c/li\u003e\n\u003cli\u003eReview the \u003ca href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4719\"\u003ereferences\u003c/a\u003e to understand the significance of Event ID 4719 and its implications for security monitoring.\u003c/li\u003e\n\u003cli\u003eConsider enabling Sysmon process creation logging with command line auditing to detect the use of tools such as \u003ccode\u003eauditpol.exe\u003c/code\u003e to modify audit policies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-audit-policy-disabled/","summary":"This rule identifies attempts to disable auditing for security-sensitive audit policy sub-categories on Windows systems, often employed by attackers to evade detection and forensic analysis.","title":"Windows Audit Policy Sub-Category Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-audit-policy-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Audit-Policy","version":"https://jsonfeed.org/version/1.1"}