{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/auditpol/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["auditpol","audit-policy","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers or red teams may use \u003ccode\u003eauditpol.exe\u003c/code\u003e with the \u003ccode\u003e/restore\u003c/code\u003e command-line argument to restore the audit policy from a file, potentially disabling crucial security logging. This technique is significant because it allows adversaries to bypass defenses and plan further attacks without being detected. The activity is typically observed using Endpoint Detection and Response (EDR) agents that monitor process executions and command-line arguments. The goal is often to limit the data available for detections and audits, creating a blind spot for defenders. Disabling or modifying audit policies can precede or accompany other malicious activities to hinder incident response and forensic investigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to a level where they can modify the audit policy.\u003c/li\u003e\n\u003cli\u003eThe attacker prepares a malicious audit policy file that disables or reduces auditing.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eauditpol.exe\u003c/code\u003e with the \u003ccode\u003e/restore\u003c/code\u003e parameter, specifying the path to the malicious audit policy file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eauditpol.exe\u003c/code\u003e replaces the existing audit policy with the attacker-supplied policy.\u003c/li\u003e\n\u003cli\u003eAuditing is reduced or disabled, preventing the collection of security-relevant events.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as lateral movement, data exfiltration, or installing malware, without being properly logged.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective with a reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this technique can severely impair an organization\u0026rsquo;s ability to detect and respond to attacks. By disabling or reducing audit logging, attackers can operate with impunity, making it difficult to trace their actions and identify compromised systems. This can lead to a delayed response, allowing attackers to cause more damage, exfiltrate sensitive data, or establish a persistent foothold in the network. The impact ranges from data breaches and financial losses to reputational damage and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAuditpol.exe Restoring Audit Policy\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious \u003ccode\u003eauditpol.exe\u003c/code\u003e executions.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1, Windows Event Log Security 4688) for \u003ccode\u003eauditpol.exe\u003c/code\u003e executions with the \u003ccode\u003e/restore\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to prevent unauthorized modification of audit policies.\u003c/li\u003e\n\u003cli\u003eReview audit policy configurations regularly to ensure they have not been tampered with.\u003c/li\u003e\n\u003cli\u003eWhitelist legitimate uses of \u003ccode\u003eauditpol.exe /restore\u003c/code\u003e with known parent processes to reduce false positives, as described in the Known False Positives section.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eauditpol.exe /restore\u003c/code\u003e as high-priority incidents, given the potential for defense evasion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-auditpol-restore/","summary":"Attackers may use auditpol.exe with the /restore argument to replace the existing audit policy with a malicious one, disabling auditing to evade detection, potentially leading to full machine compromise or lateral movement.","title":"Windows Audit Policy Restored via Auditpol.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-auditpol-restore/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["auditpol","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe execution of the legacy \u003ccode\u003eauditpol.exe\u003c/code\u003e utility, included with the Windows 2000 Resource Kit Tools, is used to disable specific logging categories from the audit policy. This technique is often employed by adversaries and Red Teams to evade detection by reducing the amount of data available for security monitoring and incident response. This behavior, if confirmed malicious, can enable attackers to bypass defenses, potentially leading to full machine compromise or lateral movement. The use of \u003ccode\u003eauditpol.exe\u003c/code\u003e with the \u003ccode\u003e/disable\u003c/code\u003e argument, or category flags followed by the \u003ccode\u003enone\u003c/code\u003e option, indicates a deliberate attempt to tamper with system auditing configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eauditpol.exe\u003c/code\u003e from the command line.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/disable\u003c/code\u003e parameter to disable auditing globally.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses category-specific flags (e.g., \u003ccode\u003e/system\u003c/code\u003e, \u003ccode\u003e/logon\u003c/code\u003e, \u003ccode\u003e/object\u003c/code\u003e) with the \u003ccode\u003enone\u003c/code\u003e option to disable auditing for those specific categories.\u003c/li\u003e\n\u003cli\u003eThe command is executed with sufficient privileges to modify the audit policy.\u003c/li\u003e\n\u003cli\u003eWindows processes the command and updates the system\u0026rsquo;s audit policy accordingly.\u003c/li\u003e\n\u003cli\u003eLogging for the specified categories is disabled, reducing the visibility of attacker activity.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further malicious actions, knowing that their activities are less likely to be detected due to the reduced audit logging.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to significant gaps in security monitoring. With auditing disabled, security teams lose visibility into critical system events, making it more difficult to detect and respond to ongoing attacks. Attackers can exploit this lack of visibility to move laterally within the network, escalate privileges, and exfiltrate sensitive data without being detected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Security Event Log (4688) to detect the execution of \u003ccode\u003eauditpol.exe\u003c/code\u003e with suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Auditpol Usage\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview and harden audit policies to prevent unauthorized modifications, as detailed in the Microsoft documentation.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for processes disabling audit logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-auditpol-disable/","summary":"Adversaries may disable Windows audit policies using the legacy auditpol.exe utility to evade detection by limiting the data available for security monitoring and incident response.","title":"Windows Audit Policy Disabled via Legacy Auditpol","url":"https://feed.craftedsignal.io/briefs/2024-01-auditpol-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["auditpol","security descriptor","defense evasion","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the misuse of \u003ccode\u003eauditpol.exe\u003c/code\u003e to tamper with Windows audit policy security descriptors. Attackers, including red teams, may leverage this technique to evade defenses by limiting the scope and effectiveness of audit logging. By modifying the security descriptor of the audit policy, adversaries can restrict access and prevent certain users or applications from reverting unauthorized changes. This activity is typically executed after disabling specific policy categories from logging. The modification aims to weaken security monitoring, thereby facilitating further malicious operations without raising immediate alarms. The successful execution of this tampering could lead to full machine compromise or lateral movement, as attackers operate with reduced visibility.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through existing system privileges or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker disables specific audit policy categories using \u003ccode\u003eauditpol.exe\u003c/code\u003e to reduce the volume of logged events.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eauditpol.exe\u003c/code\u003e is executed with the \u003ccode\u003e/set\u003c/code\u003e flag and \u003ccode\u003e/sd\u003c/code\u003e parameter to modify the security descriptor of the audit policy.\u003c/li\u003e\n\u003cli\u003eThe modified security descriptor restricts access to the audit policy, preventing certain users or applications from reverting the changes.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the reduced audit visibility to perform reconnaissance activities, such as discovering credentials or mapping the network.\u003c/li\u003e\n\u003cli\u003eMalicious tools, like custom scripts or malware, are deployed and executed without triggering audit-based alerts.\u003c/li\u003e\n\u003cli\u003eLateral movement is initiated to compromise other systems within the network, expanding the attacker\u0026rsquo;s footprint.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration, ransomware deployment, or long-term persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering of the audit policy security descriptor can lead to a significant reduction in security visibility. This can allow attackers to operate undetected for extended periods, increasing the likelihood of successful data breaches, ransomware attacks, or other malicious activities. While the exact number of victims and sectors targeted is not specified, the potential impact is widespread across any organization relying on Windows audit logging for security monitoring. A successful attack can result in substantial financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAuditpol Security Descriptor Modification\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003eauditpol.exe\u003c/code\u003e with arguments indicative of security descriptor tampering.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 process creation logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eauditpol.exe\u003c/code\u003e execution with the \u003ccode\u003e/set\u003c/code\u003e and \u003ccode\u003e/sd\u003c/code\u003e flags, as these are rarely legitimate in normal system administration.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the integrity of Windows audit policies to ensure they have not been tampered with.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls for \u003ccode\u003eauditpol.exe\u003c/code\u003e to prevent unauthorized users from modifying audit policies.\u003c/li\u003e\n\u003cli\u003eUse a host-based intrusion detection system (HIDS) to monitor for unauthorized modifications to the audit policy security descriptor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-auditpol-security-descriptor-tampering/","summary":"Detection of `auditpol.exe` execution with arguments to modify the audit policy security descriptor, indicative of defense evasion by adversaries aiming to limit audit logging.","title":"Windows Audit Policy Security Descriptor Tampering via Auditpol","url":"https://feed.craftedsignal.io/briefs/2024-01-auditpol-security-descriptor-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed — Auditpol","version":"https://jsonfeed.org/version/1.1"}