public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-03-12 18:38:23 +01:00
Code Issues Projects Releases Wiki Activity

Update Auditpol.yml

Browse Source
This commit is contained in:
M-khalifa1 2024-02-24 17:51:04 +03:00 committed by GitHub
parent 4f1e368b90
commit 41dc3d9c2f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
yml/OSBinaries/Auditpol.yml
View File

@ -1,28 +1,28 @@
--- ---
Name: Auditpol.exe Name: Auditpol.exe
Description: a command-line tool that allows users to query and set audit policies on Windows systems. Description: a command-line tool that allows users to query and set audit policies on Windows systems
Author: 'Mahmoud Khalifa' Author: 'Mahmoud Khalifa'
Created: 2024-2-24 Created: 2024-02-24
Commands: Commands:
- Command: auditpol /set /subcategory:"System Integrity" /success:disable /failure:disable - Command: auditpol /set /subcategory:"System Integrity" /success:disable /failure:disable
Description: Disables auditing for system integrity, which is crucial for monitoring and ensuring the integrity of security features and the operating system. Description: Disables auditing for system integrity, which is crucial for monitoring and ensuring the integrity of security features and the operating system
Usecase: modify the audit configuration silently and disable or alter important parameters, preventing the creation or recording of Event Logs. Usecase: Modify the audit configuration silently and disable or alter important parameters, preventing the creation or recording of Event Logs
Category: Execute Category: Execute
Privileges: Administrator Privileges: Administrator
MitreID: T1562.002 MitreID: T1562.002
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10, Windows 11 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10, Windows 11
- Command: auditpol /set /subcategory:"Logon" /success:enable /failure:enable - Command: auditpol /set /subcategory:"Logon" /success:enable /failure:enable
Description: Enables auditing for both successful and failed logon attempts. Description: Enables auditing for both successful and failed logon attempts
Usecase: Use this command to monitor logon activities, which can help detect unauthorized access attempts. Usecase: Use this command to monitor logon activities, which can help detect unauthorized access attempts
Category: Execute Category: Execute
Privileges: Administrator Privileges: Administrator
MitreID: T1562.002 MitreID: T1562.002
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10,Windows 11 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10, Windows 11
Full_Path: Full_Path:
- Path: C:\Windows\System32\auditpol.exe - Path: C:\Windows\System32\auditpol.exe
- Path: C:\Windows\SysWOW64\auditpol.exe - Path: C:\Windows\SysWOW64\auditpol.exe
Code_Sample: Code_Sample:
- Code: - Code: null
Detection: Detection:
- IOC: Unexpected changes in audit policies - IOC: Unexpected changes in audit policies
- IOC: auditpol.exe spawned under suspicious circumstances - IOC: auditpol.exe spawned under suspicious circumstances
@ -34,4 +34,3 @@ Resources:
- Link: https://help.fortinet.com/fsiem/Public_Resource_Access/7_1_1/rules/PH_RULE_Suspicious_Auditpol_Usage.htm - Link: https://help.fortinet.com/fsiem/Public_Resource_Access/7_1_1/rules/PH_RULE_Suspicious_Auditpol_Usage.htm
Acknowledgement: Acknowledgement:
- Person: Mahmoud Khalifa - Person: Mahmoud Khalifa