{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/audit_policy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense_evasion","windows","audit_policy"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often disable Windows auditing for security-sensitive audit policy sub-categories in an attempt to evade detection and forensic analysis on a system. This technique is part of a broader effort to impair defenses and hinder incident response. This detection identifies instances where specific audit policies, such as those related to logon events, process creation, and user account management, are disabled without being re-enabled within a defined time frame. This behavior is flagged by monitoring Windows Event ID 4719, which logs changes to audit policies. This rule is designed to detect potential attempts to undermine security monitoring and forensic capabilities on Windows endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system via phishing or exploiting a vulnerability (not described in source).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to an administrator level, which is required to modify audit policies (not described in source).\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eauditpol.exe\u003c/code\u003e or modifies Group Policy Objects (GPO) to disable specific audit policy sub-categories.\u003c/li\u003e\n\u003cli\u003eThe system generates Windows Event ID 4719, indicating a change in audit policy. This event contains information about the sub-category affected and the type of change (e.g., \u0026quot;Success removed\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to perform actions without being logged by disabling audit policies for events such as logon, process creation, or user account management.\u003c/li\u003e\n\u003cli\u003eThe attacker avoids detection by clearing or tampering with event logs to remove any traces of their activities (not described in source).\u003c/li\u003e\n\u003cli\u003eThe attacker continues with their malicious activities, such as lateral movement, data exfiltration, or deploying ransomware, with reduced risk of detection (not described in source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of audit policies can severely impair an organization's ability to detect and respond to security incidents. By removing critical audit logs, attackers can operate undetected, prolonging the duration of attacks and increasing the potential for data breaches, financial loss, and reputational damage. The absence of audit logs hinders forensic investigations, making it difficult to determine the scope and impact of an attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the 'Audit Audit Policy Change' logging policy is configured for (Success, Failure) as outlined in the setup instructions, to generate the necessary event logs for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Audit Policy Sub-Category Disabled\u0026quot; to your SIEM to identify instances where sensitive audit policies are disabled.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of Event ID 4719 where sensitive audit sub-categories are disabled, focusing on the associated processes and user accounts as described in the investigation steps.\u003c/li\u003e\n\u003cli\u003eReview and harden Group Policy settings related to audit policies to prevent unauthorized modifications, referencing Microsoft documentation on GPO management.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide additional context around processes that modify audit policies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-audit-policy-disabled/","summary":"This rule detects attempts to disable auditing for security-sensitive audit policy sub-categories on Windows systems, often done by attackers to evade detection and forensic analysis.","title":"Windows Audit Policy Sub-Category Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-audit-policy-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed - Audit_policy","version":"https://jsonfeed.org/version/1.1"}