Skip to content

Hide Navigation Hide TOC

Audit Policy Tampering Via NT Resource Kit Auditpol (c6c56ada-612b-42d1-9a29-adad3c5c2c1e)

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Cluster A Galaxy A Cluster B Galaxy B Level
Audit Policy Tampering Via NT Resource Kit Auditpol (c6c56ada-612b-42d1-9a29-adad3c5c2c1e) Sigma-Rules Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 1
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2