Windows Audit Policy Cleared via Auditpol

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers, including Red Teams, may attempt to disable or clear Windows audit policies to evade detection and prevent security analysts from identifying malicious activity. This involves using the auditpol.exe utility with the /clear or /remove command-line arguments, effectively erasing existing audit configurations. This action eliminates crucial data points that security teams rely on for detecting and responding to threats. By clearing audit policies, adversaries can operate with a reduced risk of being detected, potentially allowing for prolonged access and further exploitation of compromised systems. The activity is significant as it indicates a deliberate attempt to subvert security measures and gain an advantage within the targeted environment.

Attack Chain

The attacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).
The attacker escalates privileges to an account with sufficient permissions to modify audit policies.
The attacker executes auditpol.exe with the /clear or /remove command-line argument.
The auditpol.exe process modifies the system’s audit policy settings.
Windows event logging is disabled or significantly reduced due to the cleared audit policy.
The attacker performs malicious activities without generating standard audit logs.
The attacker moves laterally within the network to compromise additional systems.
The attacker achieves their final objective, such as data theft or deploying ransomware.

Impact

Clearing the Windows audit policy can have a severe impact on an organization’s security posture. The lack of audit logs hinders incident response efforts, making it difficult to investigate security incidents and identify compromised systems. Attackers can move laterally, steal sensitive data, or deploy ransomware without triggering standard alerts. This can result in significant financial losses, reputational damage, and regulatory penalties. In some instances, attackers might clear audit policies as a precursor to a larger attack campaign, such as the Solorigate supply chain attack.

Recommendation

Deploy the Sigma rule Detect Auditpol Clear Command to your SIEM to identify instances of auditpol.exe being used to clear audit policies.
Enable Sysmon process creation logging (Event ID 1) to capture the execution of auditpol.exe with command-line arguments.
Monitor Windows Event Log Security events (4688) for process creation events related to auditpol.exe.
Investigate any instances where auditpol.exe is executed with the /clear or /remove arguments, as this could indicate malicious activity.
Implement strict access controls to limit the number of accounts that can modify audit policies.
Deploy the Sigma rule Detect Auditpol Remove Command to detect auditpol.exe executions with /remove.

ESXi Audit Tampering Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies attempts to tamper with audit records on VMware ESXi hosts. Attackers with administrative privileges on an ESXi host can use the esxcli system auditrecords command to modify or delete audit logs. This can be done either remotely or locally on the host, and is indicative of an attacker attempting to cover their tracks, evade detection, and hinder subsequent forensic investigations. Successfully tampering with audit logs allows malicious actors to operate undetected within the environment, potentially leading to long-term compromise and data exfiltration. This activity is particularly relevant in cases involving ransomware, such as Black Basta, where attackers may attempt to erase evidence of their lateral movement and payload deployment.

Attack Chain

An attacker gains initial access to a system with privileges to access the ESXi host.
The attacker authenticates to the ESXi host, either locally or remotely, likely using compromised credentials.
The attacker executes the esxcli system auditrecords command.
The command is used with parameters to modify existing audit records, such as deleting entries or changing timestamps.
The attacker may target specific log entries related to their activities to erase evidence.
After tampering, the attacker continues their malicious activities (e.g., lateral movement, data exfiltration, or ransomware deployment) with reduced risk of detection.
The absence of relevant audit logs impairs incident response and forensic analysis efforts.

Impact

Successful tampering of ESXi audit records can severely hinder incident response and forensic analysis. Without accurate logs, security teams will struggle to determine the scope and timeline of an attack. In environments affected by ransomware like Black Basta, this can lead to delayed containment and increased data loss. The blurring of the attack timeline prevents recovery and remediation efforts. While there are no victim statistics available for this specific technique, the impact on affected organizations can be significant, resulting in financial losses, reputational damage, and regulatory fines.

Recommendation

Enable Syslog on all ESXi hosts and forward logs to a centralized logging server to ensure logs are captured and retained even if local logs are tampered with.
Deploy the Sigma rule “ESXi Audit Tampering Detection” to your SIEM to detect the usage of esxcli system auditrecords command.
Investigate any alerts triggered by the Sigma rule, focusing on the source and destination of the command execution.
Monitor the risk score associated with the impacted systems using the risk_objects field in the report.
Review access controls and privileges assigned to ESXi hosts to minimize the attack surface.

Audit-Tampering — CraftedSignal Threat Feed

Windows Audit Policy Cleared via Auditpol

Attack Chain

Impact

Recommendation

ESXi Audit Tampering Detection

Attack Chain

Impact

Recommendation