Skip to content

Hide Navigation Hide TOC

Audit Policy Tampering Via Auditpol (0a13e132-651d-11eb-ae93-0242ac130002)

Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0) Attack Pattern Audit Policy Tampering Via Auditpol (0a13e132-651d-11eb-ae93-0242ac130002) Sigma-Rules 1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0) Attack Pattern 2