Analytics Story: Windows Audit Policy Tampering

Date: 2025-01-28 ID: 29ed7ffa-df10-4e85-847f-bd417a8ca355 Author: Nasreddine Bencherchali, Splunk Product: Splunk Enterprise Security

Description

Adversaries often attempt to manipulate Windows audit policies to disable or suppress logging, allowing malicious activities to go undetected. This analytic story covers groups searches that are designed to monitor and detect suspicious actions involving auditpol.exe or other methods used to modify, clear, or remove audit policy configurations.

Why it matters

Windows audit policies play a critical role in ensuring that key system activities are logged for monitoring and forensic purposes. Attackers often target audit policies by modifying, clearing, or disabling them, typically using utilities like auditpol.exe, to avoid detection during their operations. Monitoring for changes to audit policies is an industry-recognized best practice and helps uncover potential malicious activity. While legitimate administrators may occasionally modify audit policies, it is vital to track who performed the modifications, when they occurred, and the specific changes made. Unauthorized tampering with audit configurations may indicate an attempt to suppress evidence or disrupt security monitoring. This Analytic Story provides a framework to detect suspicious activities involving audit policy manipulation. It includes analytics to identify the use of auditpol.exe with specific flags (e.g., /set, /clear) and other patterns of audit tampering. These detections are critical for investigating potential breaches and maintaining the integrity of security monitoring mechanisms.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows AD Domain Controller Audit Policy Disabled	Disable or Modify Tools	TTP
Windows Audit Policy Auditing Option Disabled via Auditpol	Disable Windows Event Logging	TTP
Windows Audit Policy Auditing Option Modified - Registry	Active Setup	Anomaly
Windows Audit Policy Cleared via Auditpol	Disable Windows Event Logging	TTP
Windows Audit Policy Disabled via Auditpol	Disable Windows Event Logging	Anomaly
Windows Audit Policy Disabled via Legacy Auditpol	Disable Windows Event Logging	Anomaly
Windows Audit Policy Excluded Category via Auditpol	Disable Windows Event Logging	Anomaly
Windows Audit Policy Restored via Auditpol	Disable Windows Event Logging	Anomaly
Windows Audit Policy Security Descriptor Tampering via Auditpol	Disable Windows Event Logging	Anomaly
Windows Global Object Access Audit List Cleared Via Auditpol	Disable Windows Event Logging	TTP
Windows Important Audit Policy Disabled	Disable or Modify Tools	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4719	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 1