Skip to content

Commit 9925f0d

Browse files
nasbenchnasbench
committed
Update windows_audit_policy_tampering.yml
1 parent abfbe7a commit 9925f0d

File tree

1 file changed

+1
-3
lines changed

1 file changed

+1
-3
lines changed

stories/windows_audit_policy_tampering.yml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,7 @@ date: '2025-01-28'
55
author: Nasreddine Bencherchali, Splunk
66
status: production
77
description: Adversaries often attempt to manipulate Windows audit policies to disable or suppress logging, allowing malicious activities to go undetected. This analytic story covers groups searches that are designed to monitor and detect suspicious actions involving `auditpol.exe` or other methods used to modify, clear, or remove audit policy configurations.
8-
narrative: Windows audit policies play a critical role in ensuring that key system activities are logged for monitoring and forensic purposes. Attackers often target audit policies by modifying, clearing, or disabling them, typically using utilities like `auditpol.exe`, to avoid detection during their operations.
9-
Monitoring for changes to audit policies is an industry-recognized best practice and helps uncover potential malicious activity. While legitimate administrators may occasionally modify audit policies, it is vital to track who performed the modifications, when they occurred, and the specific changes made. Unauthorized tampering with audit configurations may indicate an attempt to suppress evidence or disrupt security monitoring.
10-
This Analytic Story provides a framework to detect suspicious activities involving audit policy manipulation. It includes analytics to identify the use of `auditpol.exe` with specific flags (e.g., `/set`, `/clear`) and other patterns of audit tampering. These detections are critical for investigating potential breaches and maintaining the integrity of security monitoring mechanisms.
8+
narrative: Windows audit policies play a critical role in ensuring that key system activities are logged for monitoring and forensic purposes. Attackers often target audit policies by modifying, clearing, or disabling them, typically using utilities like `auditpol.exe`, to avoid detection during their operations. Monitoring for changes to audit policies is an industry-recognized best practice and helps uncover potential malicious activity. While legitimate administrators may occasionally modify audit policies, it is vital to track who performed the modifications, when they occurred, and the specific changes made. Unauthorized tampering with audit configurations may indicate an attempt to suppress evidence or disrupt security monitoring. This Analytic Story provides a framework to detect suspicious activities involving audit policy manipulation. It includes analytics to identify the use of `auditpol.exe` with specific flags (e.g., `/set`, `/clear`) and other patterns of audit tampering. These detections are critical for investigating potential breaches and maintaining the integrity of security monitoring mechanisms.
119
references:
1210
- https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
1311
- https://www.cybereason.com/blog/research/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities

0 commit comments

Comments
 (0)