auditpol.exe

  • File Path: C:\WINDOWS\SysWOW64\auditpol.exe
  • Description: Audit Policy Program

Hashes

Type Hash
MD5 F771FD6C558C5827FCD30F65F5CE7EDC
SHA1 3BA6045FE86DB8906DFB1D3DFC37DCCC33C00514
SHA256 A86ACB5E6FF088B72DE41FD187D4CAAC9BDFA6624D3D28B1A4AED299580AC872
SHA384 C2F2307C1770CFC3FBECB19929DDB5BC5F01DD526B9AFC9C8D2575B206312715DDDD4F054D54BFD8E8A9ABB2847D0E08
SHA512 7B3BD041617B6960F44348367E20C5F9958EF6D04379E7D5CD5FA1B36B0681D790BC71D01FDEBF3FD8BDC2F4C17551C1AF5FED0E082702BC082D68B6332A3784
SSDEEP 768:wFTlUgApLJhiVVjXHE309tXxTs+2YgjG1:Y+FJeF0309tls+2YgjG1
IMP AB0C8C1C188B19D08FAF502671C04930
PESHA1 096F65EEEAA0F6EEE05ADB14B82C5A0E5986A089
PE256 F9157B614B062C009D0E80D575FD1BE38C40F8BD2BAD1013CDD18645C9CE8AAB

Runtime Data

Usage (stdout):

Usage: AuditPol command [<sub-command><options>]


Commands (only one command permitted per execution)
  /?               Help (context-sensitive)
  /get             Displays the current audit policy.
  /set             Sets the audit policy.
  /list            Displays selectable policy elements.
  /backup          Saves the audit policy to a file.
  /restore         Restores the audit policy from a file.
  /clear           Clears the audit policy.
  /remove          Removes the per-user audit policy for a user account.
  /resourceSACL    Configure global resource SACLs


Use AuditPol <command> /? for details on each command

Usage (stderr):

Error 0x00000057 occurred:
The parameter is incorrect.


Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\auditpol.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: AUDITPOL.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/a86acb5e6ff088b72de41fd187d4caac9bdfa6624d3d28b1a4aed299580ac872/detection

Possible Misuse

The following table contains possible examples of auditpol.exe being misused. While auditpol.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml title: Suspicious NT Resource Kit Auditpol Usage DRL 1.0
sigma proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. DRL 1.0
sigma proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol DRL 1.0
sigma proc_creation_win_sus_auditpol_usage.yml title: Suspicious Auditpol Usage DRL 1.0
sigma proc_creation_win_sus_auditpol_usage.yml description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. DRL 1.0
sigma proc_creation_win_sus_auditpol_usage.yml Image\|endswith: '\auditpol.exe' DRL 1.0
atomic-red-team T1562.002.md Use the cleanup commands to restore some default auditpol settings (your original settings will be lost) MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md auditpol /set /category:”Account Logon” /success:disable /failure:disable MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md auditpol /set /category:”Logon/Logoff” /success:disable /failure:disable MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md auditpol /set /category:”Detailed Tracking” /success:disable MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md auditpol /set /category:”Account Logon” /success:enable /failure:enable MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md auditpol /set /category:”Detailed Tracking” /success:enable MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md auditpol /set /category:”Logon/Logoff” /success:enable /failure:enable MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log. MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md auditpol /clear /y MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md auditpol /remove /allusers MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


auditpol

Displays information about and performs functions to manipulate audit policies, including:

  • Setting and querying a system audit policy.

  • Setting and querying a per-user audit policy.

  • Setting and querying auditing options.

  • Setting and querying the security descriptor used to delegate access to an audit policy.

  • Reporting or backing up an audit policy to a comma-separated value (CSV) text file.

  • Loading an audit policy from a CSV text file.

  • Configuring global resource SACLs.

Syntax

auditpol command [<sub-command><options>]

Parameters

Sub-command Description
/get Displays the current audit policy. For more information, see auditpol get for syntax and options.
/set Sets the audit policy. For more information, see auditpol set for syntax and options.
/list Displays selectable policy elements. For more information, see auditpol list for syntax and options.
/backup Saves the audit policy to a file. For more information, see auditpol backup for syntax and options.
/restore Restores the audit policy from a file that was previously created by using auditpol /backup. For more information, see auditpol restore for syntax and options.
/clear Clears the audit policy. For more information, see auditpol clear for syntax and options.
/remove Removes all per-user audit policy settings and disables all system audit policy settings. For more information, see auditpol remove for syntax and options.
/resourceSACL Configures global resource system access control lists (SACLs). Note: Applies only to Windows 7 and Windows Server 2008 R2. For more information, see auditpol resourceSACL.
/? Displays help at the command prompt.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.