Tag
high
advisory
Windows Audit Policy Restored via Auditpol.exe
2 rules 1 TTPAttackers may use auditpol.exe with the /restore argument to replace the existing audit policy with a malicious one, disabling auditing to evade detection, potentially leading to full machine compromise or lateral movement.
Splunk Enterprise +2
auditpol
audit-policy
defense-evasion
windows
2r
1t
high
advisory
Windows Audit Policy Disabled via Legacy Auditpol
2 rules 1 TTPAdversaries may disable Windows audit policies using the legacy auditpol.exe utility to evade detection by limiting the data available for security monitoring and incident response.
Windows +3
auditpol
defense-evasion
2r
1t
high
threat
Windows Audit Policy Security Descriptor Tampering via Auditpol
2 rules 1 TTPDetection of `auditpol.exe` execution with arguments to modify the audit policy security descriptor, indicative of defense evasion by adversaries aiming to limit audit logging.
Splunk Enterprise +2
auditpol
security descriptor
defense evasion
windows
2r
1t