auditpol.exe
- File Path:
C:\Windows\system32\auditpol.exe - Description: Audit Policy Program
Hashes
| Type | Hash |
|---|---|
| MD5 | 29A66352A9656748B1C1DA61C7161EDE |
| SHA1 | 40B872E7A01DDE110206A7B422DB4135301D620D |
| SHA256 | 8362DDED162B118D02528AFEEB3AF60CE0ECD60015FF9A65812F69619D3742A2 |
| SHA384 | B4F913F79242CDE1E5747FFF8CAA061C8199E7570A4FD4B19132AD9E167CE9E03D589864B561C52D804D479377A7D6D1 |
| SHA512 | 3206648AE9318C64F162417480CB8D78F046EFC0C7F2DD84FF97E909A06CE6C3717908D275553DD69B22526274CB85B4549CE014C5617E4902FD66F8AEF79751 |
| SSDEEP | 768:2AwAYR3+tERm5za9/3BTpcf9eRp3zj67y1dCoAPSl0AFrP14y13NN0oTeDppoTbP:BwAYR3+tERm5zQpuW3zj65ot+mey13N/ |
| IMP | 90AC86A122E388FC7E7952289389E5B0 |
| PESHA1 | 7F546D31CDFC2E0B4BE0F63C46B182B6F404C27C |
| PE256 | 2185F8D3DC40E4E18FF9968512EA476560A3FA1D783728A49AE775510E82C3DF |
Runtime Data
Usage (stdout):
Usage: AuditPol command [<sub-command><options>]
Commands (only one command permitted per execution)
/? Help (context-sensitive)
/get Displays the current audit policy.
/set Sets the audit policy.
/list Displays selectable policy elements.
/backup Saves the audit policy to a file.
/restore Restores the audit policy from a file.
/clear Clears the audit policy.
/remove Removes the per-user audit policy for a user account.
/resourceSACL Configure global resource SACLs
Use AuditPol <command> /? for details on each command
Usage (stderr):
Error 0x00000057 occurred:
The parameter is incorrect.
Loaded Modules:
| Path |
|---|
| C:\Windows\system32\auditpol.exe |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: AUDITPOL.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/8362dded162b118d02528afeeb3af60ce0ecd60015ff9a65812f69619d3742a2/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\auditpol.exe | 44 |
| C:\WINDOWS\system32\auditpol.exe | 40 |
Possible Misuse
The following table contains possible examples of auditpol.exe being misused. While auditpol.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| atomic-red-team | T1562.002.md | auditpol /set /category:”Account Logon” /success:disable /failure:disable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Logon/Logoff” /success:disable /failure:disable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Detailed Tracking” /success:disable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Account Logon” /success:enable /failure:enable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Detailed Tracking” /success:enable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Logon/Logoff” /success:enable /failure:enable | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
auditpol
Displays information about and performs functions to manipulate audit policies, including:
-
Setting and querying a system audit policy.
-
Setting and querying a per-user audit policy.
-
Setting and querying auditing options.
-
Setting and querying the security descriptor used to delegate access to an audit policy.
-
Reporting or backing up an audit policy to a comma-separated value (CSV) text file.
-
Loading an audit policy from a CSV text file.
-
Configuring global resource SACLs.
Syntax
auditpol command [<sub-command><options>]
Parameters
| Sub-command | Description |
|---|---|
| /get | Displays the current audit policy. For more information, see auditpol get for syntax and options. |
| /set | Sets the audit policy. For more information, see auditpol set for syntax and options. |
| /list | Displays selectable policy elements. For more information, see auditpol list for syntax and options. |
| /backup | Saves the audit policy to a file. For more information, see auditpol backup for syntax and options. |
| /restore | Restores the audit policy from a file that was previously created by using auditpol /backup. For more information, see auditpol restore for syntax and options. |
| /clear | Clears the audit policy. For more information, see auditpol clear for syntax and options. |
| /remove | Removes all per-user audit policy settings and disables all system audit policy settings. For more information, see auditpol remove for syntax and options. |
| /resourceSACL | Configures global resource system access control lists (SACLs). Note: Applies only to Windows 7 and Windows Server 2008 R2. For more information, see auditpol resourceSACL. |
| /? | Displays help at the command prompt. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.