auditpol.exe
- File Path:
C:\Windows\system32\auditpol.exe - Description: Audit Policy Program
Hashes
| Type | Hash |
|---|---|
| MD5 | 29A66352A9656748B1C1DA61C7161EDE |
| SHA1 | 40B872E7A01DDE110206A7B422DB4135301D620D |
| SHA256 | 8362DDED162B118D02528AFEEB3AF60CE0ECD60015FF9A65812F69619D3742A2 |
| SHA384 | B4F913F79242CDE1E5747FFF8CAA061C8199E7570A4FD4B19132AD9E167CE9E03D589864B561C52D804D479377A7D6D1 |
| SHA512 | 3206648AE9318C64F162417480CB8D78F046EFC0C7F2DD84FF97E909A06CE6C3717908D275553DD69B22526274CB85B4549CE014C5617E4902FD66F8AEF79751 |
| SSDEEP | 768:2AwAYR3+tERm5za9/3BTpcf9eRp3zj67y1dCoAPSl0AFrP14y13NN0oTeDppoTbP:BwAYR3+tERm5zQpuW3zj65ot+mey13N/ |
| IMP | 90AC86A122E388FC7E7952289389E5B0 |
| PESHA1 | 7F546D31CDFC2E0B4BE0F63C46B182B6F404C27C |
| PE256 | 2185F8D3DC40E4E18FF9968512EA476560A3FA1D783728A49AE775510E82C3DF |
Runtime Data
Usage (stdout):
Usage: AuditPol command [<sub-command><options>]
Commands (only one command permitted per execution)
/? Help (context-sensitive)
/get Displays the current audit policy.
/set Sets the audit policy.
/list Displays selectable policy elements.
/backup Saves the audit policy to a file.
/restore Restores the audit policy from a file.
/clear Clears the audit policy.
/remove Removes the per-user audit policy for a user account.
/resourceSACL Configure global resource SACLs
Use AuditPol <command> /? for details on each command
Usage (stderr):
Error 0x00000057 occurred:
The parameter is incorrect.
Loaded Modules:
| Path |
|---|
| C:\Windows\system32\auditpol.exe |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: AUDITPOL.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/8362dded162b118d02528afeeb3af60ce0ecd60015ff9a65812f69619d3742a2/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\auditpol.exe | 44 |
| C:\WINDOWS\system32\auditpol.exe | 40 |
Possible Misuse
The following table contains possible examples of auditpol.exe being misused. While auditpol.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml | title: Suspicious NT Resource Kit Auditpol Usage |
DRL 1.0 |
| sigma | proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml | description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. |
DRL 1.0 |
| sigma | proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml | - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol |
DRL 1.0 |
| sigma | proc_creation_win_sus_auditpol_usage.yml | title: Suspicious Auditpol Usage |
DRL 1.0 |
| sigma | proc_creation_win_sus_auditpol_usage.yml | description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. |
DRL 1.0 |
| sigma | proc_creation_win_sus_auditpol_usage.yml | Image\|endswith: '\auditpol.exe' |
DRL 1.0 |
| atomic-red-team | T1562.002.md | Use the cleanup commands to restore some default auditpol settings (your original settings will be lost) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Account Logon” /success:disable /failure:disable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Logon/Logoff” /success:disable /failure:disable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Detailed Tracking” /success:disable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Account Logon” /success:enable /failure:enable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Detailed Tracking” /success:enable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Logon/Logoff” /success:enable /failure:enable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /clear /y | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /remove /allusers | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
auditpol
Displays information about and performs functions to manipulate audit policies, including:
-
Setting and querying a system audit policy.
-
Setting and querying a per-user audit policy.
-
Setting and querying auditing options.
-
Setting and querying the security descriptor used to delegate access to an audit policy.
-
Reporting or backing up an audit policy to a comma-separated value (CSV) text file.
-
Loading an audit policy from a CSV text file.
-
Configuring global resource SACLs.
Syntax
auditpol command [<sub-command><options>]
Parameters
| Sub-command | Description |
|---|---|
| /get | Displays the current audit policy. For more information, see auditpol get for syntax and options. |
| /set | Sets the audit policy. For more information, see auditpol set for syntax and options. |
| /list | Displays selectable policy elements. For more information, see auditpol list for syntax and options. |
| /backup | Saves the audit policy to a file. For more information, see auditpol backup for syntax and options. |
| /restore | Restores the audit policy from a file that was previously created by using auditpol /backup. For more information, see auditpol restore for syntax and options. |
| /clear | Clears the audit policy. For more information, see auditpol clear for syntax and options. |
| /remove | Removes all per-user audit policy settings and disables all system audit policy settings. For more information, see auditpol remove for syntax and options. |
| /resourceSACL | Configures global resource system access control lists (SACLs). Note: Applies only to Windows 7 and Windows Server 2008 R2. For more information, see auditpol resourceSACL. |
| /? | Displays help at the command prompt. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.