auditpol.exe

File Path: C:\windows\system32\auditpol.exe
Description: Audit Policy Program

Hashes

Type	Hash
MD5	`1B10370359F8B6CC355E34225C8BA6D4`
SHA1	`788912E66F51DE9876B8EAD3D97D32B5E2CCD3F2`
SHA256	`08009F932D5A3CA2D856AB5A40A804B3FBB0C5083D0F2C8EDCD17747A727A679`
SHA384	`8274A0384E974236BA868F0C508691A9FF8E918C98E82C7A091A3292AE26A1353848060EFE65D15481DE9A0201187106`
SHA512	`68A439DECC12DC862DF48D5D8D28859B1D4DD464ECA7B6FB9CB61B5A8BDFD56141A59ED7156A2E9DDCBB58D877176F3C555D8B85666D773848F64C8BF54F144E`
SSDEEP	`1536:aCmwg5fd1z0WouTB/8dAWZ8bZ0X5yunaJbdk56:aCev1wTo0yK888C85kc`

Signature

Status: The file C:\windows\system32\auditpol.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: AUDITPOL.EXE.MUI
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Product Version: 6.3.9600.16384
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of auditpol.exe being misused. While auditpol.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml	`title: Suspicious NT Resource Kit Auditpol Usage`	DRL 1.0
sigma	proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml	`description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.`	DRL 1.0
sigma	proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml	`- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol`	DRL 1.0
sigma	proc_creation_win_sus_auditpol_usage.yml	`title: Suspicious Auditpol Usage`	DRL 1.0
sigma	proc_creation_win_sus_auditpol_usage.yml	`description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.`	DRL 1.0
sigma	proc_creation_win_sus_auditpol_usage.yml	`Image\\|endswith: '\auditpol.exe'`	DRL 1.0
atomic-red-team	T1562.002.md	Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)	MIT License. © 2018 Red Canary
atomic-red-team	T1562.002.md	auditpol /set /category:”Account Logon” /success:disable /failure:disable	MIT License. © 2018 Red Canary
atomic-red-team	T1562.002.md	auditpol /set /category:”Logon/Logoff” /success:disable /failure:disable	MIT License. © 2018 Red Canary
atomic-red-team	T1562.002.md	auditpol /set /category:”Detailed Tracking” /success:disable	MIT License. © 2018 Red Canary
atomic-red-team	T1562.002.md	auditpol /set /category:”Account Logon” /success:enable /failure:enable	MIT License. © 2018 Red Canary
atomic-red-team	T1562.002.md	auditpol /set /category:”Detailed Tracking” /success:enable	MIT License. © 2018 Red Canary
atomic-red-team	T1562.002.md	auditpol /set /category:”Logon/Logoff” /success:enable /failure:enable	MIT License. © 2018 Red Canary
atomic-red-team	T1562.002.md	Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log.	MIT License. © 2018 Red Canary
atomic-red-team	T1562.002.md	auditpol /clear /y	MIT License. © 2018 Red Canary
atomic-red-team	T1562.002.md	auditpol /remove /allusers	MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

auditpol

Displays information about and performs functions to manipulate audit policies, including:

Setting and querying a system audit policy.
Setting and querying a per-user audit policy.
Setting and querying auditing options.
Setting and querying the security descriptor used to delegate access to an audit policy.
Reporting or backing up an audit policy to a comma-separated value (CSV) text file.
Loading an audit policy from a CSV text file.
Configuring global resource SACLs.

Syntax

auditpol command [<sub-command><options>]

Parameters

Sub-command	Description
/get	Displays the current audit policy. For more information, see auditpol get for syntax and options.
/set	Sets the audit policy. For more information, see auditpol set for syntax and options.
/list	Displays selectable policy elements. For more information, see auditpol list for syntax and options.
/backup	Saves the audit policy to a file. For more information, see auditpol backup for syntax and options.
/restore	Restores the audit policy from a file that was previously created by using auditpol /backup. For more information, see auditpol restore for syntax and options.
/clear	Clears the audit policy. For more information, see auditpol clear for syntax and options.
/remove	Removes all per-user audit policy settings and disables all system audit policy settings. For more information, see auditpol remove for syntax and options.
/resourceSACL	Configures global resource system access control lists (SACLs). Note: Applies only to Windows 7 and Windows Server 2008 R2. For more information, see auditpol resourceSACL.
/?	Displays help at the command prompt.

Additional References

Command-Line Syntax Key