Skip to content

Hide Navigation Hide TOC

Audit Policy Tampering Via Auditpol (0a13e132-651d-11eb-ae93-0242ac130002)

Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Audit Policy Tampering Via Auditpol (0a13e132-651d-11eb-ae93-0242ac130002) Sigma-Rules 1
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2