SigmaHQ/rules/windows/process_creation/win_sus_auditpol_usage.yml

title: Suspicious Auditpol Usage 
id: 0a13e132-651d-11eb-ae93-0242ac130002
description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. 
author: Janantha Marasinghe (https://github.com/blueteam0ps)
references:
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
date: 2021/02/02
modified: 2021/02/02
tags:
    - attack.defense_evasion
    - attack.t1562.002
level: high
logsource:
    category: process_creation
    product: windows
detection:
    selection_auditpol_binary:
        Image|endswith: '\auditpol.exe'
    selection_auditpol_command:
        CommandLine|contains:  
            - 'disable' # disables a specific audit policy
            - 'clear'   # delete or clears audit policy
            - 'remove'  # removes an audit policy
            - 'restore' # restores an audit policy
    condition: selection_auditpol_binary and selection_auditpol_command
falsepositives:
    - Admin activity
Created win_sus_auditpol_usage.yml This adds detection for suspicious behaviour of the auditpol binary 2021-02-02 08:12:13 +00:00			`title: Suspicious Auditpol Usage`
			`id: 0a13e132-651d-11eb-ae93-0242ac130002`
			`description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.`
			`author: Janantha Marasinghe (https://github.com/blueteam0ps)`
			`references:`
			`- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/`
			`date: 2021/02/02`
			`modified: 2021/02/02`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1562.002`
			`level: high`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection_auditpol_binary:`
			`Image\|endswith: '\auditpol.exe'`
			`selection_auditpol_command:`
			`CommandLine\|contains:`
			`- 'disable' # disables a specific audit policy`
			`- 'clear' # delete or clears audit policy`
			`- 'remove' # removes an audit policy`
			`- 'restore' # restores an audit policy`
Update win_sus_auditpol_usage.yml 2021-02-02 11:24:54 +00:00			`condition: selection_auditpol_binary and selection_auditpol_command`
Created win_sus_auditpol_usage.yml This adds detection for suspicious behaviour of the auditpol binary 2021-02-02 08:12:13 +00:00			`falsepositives:`
			`- Admin activity`