{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/security-descriptor/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["auditpol","security descriptor","defense evasion","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the misuse of \u003ccode\u003eauditpol.exe\u003c/code\u003e to tamper with Windows audit policy security descriptors. Attackers, including red teams, may leverage this technique to evade defenses by limiting the scope and effectiveness of audit logging. By modifying the security descriptor of the audit policy, adversaries can restrict access and prevent certain users or applications from reverting unauthorized changes. This activity is typically executed after disabling specific policy categories from logging. The modification aims to weaken security monitoring, thereby facilitating further malicious operations without raising immediate alarms. The successful execution of this tampering could lead to full machine compromise or lateral movement, as attackers operate with reduced visibility.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through existing system privileges or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker disables specific audit policy categories using \u003ccode\u003eauditpol.exe\u003c/code\u003e to reduce the volume of logged events.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eauditpol.exe\u003c/code\u003e is executed with the \u003ccode\u003e/set\u003c/code\u003e flag and \u003ccode\u003e/sd\u003c/code\u003e parameter to modify the security descriptor of the audit policy.\u003c/li\u003e\n\u003cli\u003eThe modified security descriptor restricts access to the audit policy, preventing certain users or applications from reverting the changes.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the reduced audit visibility to perform reconnaissance activities, such as discovering credentials or mapping the network.\u003c/li\u003e\n\u003cli\u003eMalicious tools, like custom scripts or malware, are deployed and executed without triggering audit-based alerts.\u003c/li\u003e\n\u003cli\u003eLateral movement is initiated to compromise other systems within the network, expanding the attacker\u0026rsquo;s footprint.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration, ransomware deployment, or long-term persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering of the audit policy security descriptor can lead to a significant reduction in security visibility. This can allow attackers to operate undetected for extended periods, increasing the likelihood of successful data breaches, ransomware attacks, or other malicious activities. While the exact number of victims and sectors targeted is not specified, the potential impact is widespread across any organization relying on Windows audit logging for security monitoring. A successful attack can result in substantial financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAuditpol Security Descriptor Modification\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003eauditpol.exe\u003c/code\u003e with arguments indicative of security descriptor tampering.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 process creation logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eauditpol.exe\u003c/code\u003e execution with the \u003ccode\u003e/set\u003c/code\u003e and \u003ccode\u003e/sd\u003c/code\u003e flags, as these are rarely legitimate in normal system administration.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the integrity of Windows audit policies to ensure they have not been tampered with.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls for \u003ccode\u003eauditpol.exe\u003c/code\u003e to prevent unauthorized users from modifying audit policies.\u003c/li\u003e\n\u003cli\u003eUse a host-based intrusion detection system (HIDS) to monitor for unauthorized modifications to the audit policy security descriptor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-auditpol-security-descriptor-tampering/","summary":"Detection of `auditpol.exe` execution with arguments to modify the audit policy security descriptor, indicative of defense evasion by adversaries aiming to limit audit logging.","title":"Windows Audit Policy Security Descriptor Tampering via Auditpol","url":"https://feed.craftedsignal.io/briefs/2024-01-auditpol-security-descriptor-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed — Security Descriptor","version":"https://jsonfeed.org/version/1.1"}