auditpol.exe
- File Path:
C:\Windows\SysWOW64\auditpol.exe - Description: Audit Policy Program
Hashes
| Type | Hash |
|---|---|
| MD5 | 70DF7973F8D4AAA2EE3B28391239397B |
| SHA1 | 970FA2222ED1BBDCC9D42D41FCE25DEC09DC9A42 |
| SHA256 | 92274459D15DD69E20598F5CE54933635C2BD916CA2B0A039F96BE782FAC1CA6 |
| SHA384 | 59588232DB9B802EB18BEA042FD7D544180665F1A11E3870C5714CF4E8D7EA262737EE02D833242A0462710F6CB0A5EC |
| SHA512 | AA63C38FEE0EF17170E3F242E0E12A9AE5F23A93E375A1FBCFA4C14E886B422DB93B1F689D47ABA289B20CBF0AD62D0F5466EE366AB643E94EB7BC89B353CA28 |
| SSDEEP | 768:YF76lUgEsRF057jvykFalDtqQ4pd5w2NOEa:me+MRi7W+ADtqQ4X5w2NOEa |
| IMP | 0C4B99BEEA5B3B9367B087A10A48BD92 |
| PESHA1 | 45313280692ADEC67D894F207E3DB57A3F23E283 |
| PE256 | BDCBA7026A7729DFFCA9A7B7A08EF9798F6C4B3A36223D4A62F1EBB858948028 |
Runtime Data
Usage (stdout):
Usage: AuditPol command [<sub-command><options>]
Commands (only one command permitted per execution)
/? Help (context-sensitive)
/get Displays the current audit policy.
/set Sets the audit policy.
/list Displays selectable policy elements.
/backup Saves the audit policy to a file.
/restore Restores the audit policy from a file.
/clear Clears the audit policy.
/remove Removes the per-user audit policy for a user account.
/resourceSACL Configure global resource SACLs
Use AuditPol <command> /? for details on each command
Usage (stderr):
Error 0x00000057 occurred:
The parameter is incorrect.
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\auditpol.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: AUDITPOL.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.546 (WinBuild.160101.0800)
- Product Version: 10.0.19041.546
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/92274459d15dd69e20598f5ce54933635c2bd916ca2b0a039f96be782fac1ca6/detection
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\SysWOW64\auditpol.exe | 86 |
Possible Misuse
The following table contains possible examples of auditpol.exe being misused. While auditpol.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| atomic-red-team | T1562.002.md | auditpol /set /category:”Account Logon” /success:disable /failure:disable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Logon/Logoff” /success:disable /failure:disable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Detailed Tracking” /success:disable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Account Logon” /success:enable /failure:enable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Detailed Tracking” /success:enable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.002.md | auditpol /set /category:”Logon/Logoff” /success:enable /failure:enable | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
auditpol
Displays information about and performs functions to manipulate audit policies, including:
-
Setting and querying a system audit policy.
-
Setting and querying a per-user audit policy.
-
Setting and querying auditing options.
-
Setting and querying the security descriptor used to delegate access to an audit policy.
-
Reporting or backing up an audit policy to a comma-separated value (CSV) text file.
-
Loading an audit policy from a CSV text file.
-
Configuring global resource SACLs.
Syntax
auditpol command [<sub-command><options>]
Parameters
| Sub-command | Description |
|---|---|
| /get | Displays the current audit policy. For more information, see auditpol get for syntax and options. |
| /set | Sets the audit policy. For more information, see auditpol set for syntax and options. |
| /list | Displays selectable policy elements. For more information, see auditpol list for syntax and options. |
| /backup | Saves the audit policy to a file. For more information, see auditpol backup for syntax and options. |
| /restore | Restores the audit policy from a file that was previously created by using auditpol /backup. For more information, see auditpol restore for syntax and options. |
| /clear | Clears the audit policy. For more information, see auditpol clear for syntax and options. |
| /remove | Removes all per-user audit policy settings and disables all system audit policy settings. For more information, see auditpol remove for syntax and options. |
| /resourceSACL | Configures global resource system access control lists (SACLs). Note: Applies only to Windows 7 and Windows Server 2008 R2. For more information, see auditpol resourceSACL. |
| /? | Displays help at the command prompt. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.