https://feed.craftedsignal.io/tags/auditpol/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 15:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-auditpol-restore/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-auditpol-restore/Attackers may use auditpol.exe with the /restore argument to replace the existing audit policy with a malicious one, disabling auditing to evade detection, potentially leading to full machine compromise or lateral movement.Attackers or red teams may use auditpol.exe with the /restore command-line argument to restore the audit policy from a file, potentially disabling crucial security logging. This technique is significant because it allows adversaries to bypass defenses and plan further attacks without being detected. The activity is typically observed using Endpoint Detection and Response (EDR) agents that monitor process executions and command-line arguments. The goal is often to limit the data available for detections and audits, creating a blind spot for defenders. Disabling or modifying audit policies can precede or accompany other malicious activities to hinder incident response and forensic investigations.

Attack Chain

1. The attacker gains initial access to the system (e.g., through compromised credentials or exploiting a vulnerability).
2. The attacker elevates privileges to a level where they can modify the audit policy.
3. The attacker prepares a malicious audit policy file that disables or reduces auditing.
4. The attacker executes auditpol.exe with the /restore parameter, specifying the path to the malicious audit policy file.
5. auditpol.exe replaces the existing audit policy with the attacker-supplied policy.
6. Auditing is reduced or disabled, preventing the collection of security-relevant events.
7. The attacker performs malicious activities, such as lateral movement, data exfiltration, or installing malware, without being properly logged.
8. The attacker achieves their objective with a reduced risk of detection.

Impact

Successful execution of this technique can severely impair an organization’s ability to detect and respond to attacks. By disabling or reducing audit logging, attackers can operate with impunity, making it difficult to trace their actions and identify compromised systems. This can lead to a delayed response, allowing attackers to cause more damage, exfiltrate sensitive data, or establish a persistent foothold in the network. The impact ranges from data breaches and financial losses to reputational damage and legal liabilities.

Recommendation

• Deploy the Sigma rule Auditpol.exe Restoring Audit Policy to your SIEM and tune for your environment to detect suspicious auditpol.exe executions.
• Monitor process creation events (Sysmon EventID 1, Windows Event Log Security 4688) for auditpol.exe executions with the /restore argument.
• Implement strict access controls to prevent unauthorized modification of audit policies.
• Review audit policy configurations regularly to ensure they have not been tampered with.
• Whitelist legitimate uses of auditpol.exe /restore with known parent processes to reduce false positives, as described in the Known False Positives section.
• Investigate any instances of auditpol.exe /restore as high-priority incidents, given the potential for defense evasion.

]]>highadvisoryauditpolaudit-policydefense-evasionwindowshttps://feed.craftedsignal.io/briefs/2024-01-auditpol-disable/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-auditpol-disable/Adversaries may disable Windows audit policies using the legacy auditpol.exe utility to evade detection by limiting the data available for security monitoring and incident response.The execution of the legacy auditpol.exe utility, included with the Windows 2000 Resource Kit Tools, is used to disable specific logging categories from the audit policy. This technique is often employed by adversaries and Red Teams to evade detection by reducing the amount of data available for security monitoring and incident response. This behavior, if confirmed malicious, can enable attackers to bypass defenses, potentially leading to full machine compromise or lateral movement. The use of auditpol.exe with the /disable argument, or category flags followed by the none option, indicates a deliberate attempt to tamper with system auditing configurations.

Attack Chain

1. An attacker gains initial access to a compromised system through various means.
2. The attacker executes auditpol.exe from the command line.
3. The attacker uses the /disable parameter to disable auditing globally.
4. Alternatively, the attacker uses category-specific flags (e.g., /system, /logon, /object) with the none option to disable auditing for those specific categories.
5. The command is executed with sufficient privileges to modify the audit policy.
6. Windows processes the command and updates the system’s audit policy accordingly.
7. Logging for the specified categories is disabled, reducing the visibility of attacker activity.
8. The attacker proceeds with further malicious actions, knowing that their activities are less likely to be detected due to the reduced audit logging.

Impact

Successful execution of this attack can lead to significant gaps in security monitoring. With auditing disabled, security teams lose visibility into critical system events, making it more difficult to detect and respond to ongoing attacks. Attackers can exploit this lack of visibility to move laterally within the network, escalate privileges, and exfiltrate sensitive data without being detected.

Recommendation

• Enable Sysmon process creation logging (Event ID 1) and Windows Security Event Log (4688) to detect the execution of auditpol.exe with suspicious command-line arguments.
• Deploy the Sigma rule Detect Auditpol Usage to your SIEM and tune for your environment.
• Review and harden audit policies to prevent unauthorized modifications, as detailed in the Microsoft documentation.
• Monitor process execution for processes disabling audit logs.

]]>highadvisoryauditpoldefense-evasionwindowshttps://feed.craftedsignal.io/briefs/2024-01-auditpol-security-descriptor-tampering/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-auditpol-security-descriptor-tampering/Detection of `auditpol.exe` execution with arguments to modify the audit policy security descriptor, indicative of defense evasion by adversaries aiming to limit audit logging.This brief focuses on the misuse of auditpol.exe to tamper with Windows audit policy security descriptors. Attackers, including red teams, may leverage this technique to evade defenses by limiting the scope and effectiveness of audit logging. By modifying the security descriptor of the audit policy, adversaries can restrict access and prevent certain users or applications from reverting unauthorized changes. This activity is typically executed after disabling specific policy categories from logging. The modification aims to weaken security monitoring, thereby facilitating further malicious operations without raising immediate alarms. The successful execution of this tampering could lead to full machine compromise or lateral movement, as attackers operate with reduced visibility.

Attack Chain

1. Initial access is achieved through existing system privileges or exploitation of a vulnerability.
2. The attacker disables specific audit policy categories using auditpol.exe to reduce the volume of logged events.
3. auditpol.exe is executed with the /set flag and /sd parameter to modify the security descriptor of the audit policy.
4. The modified security descriptor restricts access to the audit policy, preventing certain users or applications from reverting the changes.
5. The attacker leverages the reduced audit visibility to perform reconnaissance activities, such as discovering credentials or mapping the network.
6. Malicious tools, like custom scripts or malware, are deployed and executed without triggering audit-based alerts.
7. Lateral movement is initiated to compromise other systems within the network, expanding the attacker’s footprint.
8. The attacker achieves their final objective, which may include data exfiltration, ransomware deployment, or long-term persistence.

Impact

Successful tampering of the audit policy security descriptor can lead to a significant reduction in security visibility. This can allow attackers to operate undetected for extended periods, increasing the likelihood of successful data breaches, ransomware attacks, or other malicious activities. While the exact number of victims and sectors targeted is not specified, the potential impact is widespread across any organization relying on Windows audit logging for security monitoring. A successful attack can result in substantial financial losses, reputational damage, and regulatory penalties.

Recommendation

• Deploy the Sigma rule Auditpol Security Descriptor Modification to your SIEM to detect the use of auditpol.exe with arguments indicative of security descriptor tampering.
• Enable Sysmon Event ID 1 process creation logging to provide the necessary data for the Sigma rule to function effectively.
• Investigate any instances of auditpol.exe execution with the /set and /sd flags, as these are rarely legitimate in normal system administration.
• Regularly review and validate the integrity of Windows audit policies to ensure they have not been tampered with.
• Implement strict access controls for auditpol.exe to prevent unauthorized users from modifying audit policies.
• Use a host-based intrusion detection system (HIDS) to monitor for unauthorized modifications to the audit policy security descriptor.

]]>highthreatauditpolsecurity descriptordefense evasionwindows