Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This detects attempts to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it. Refer to auditpol syntax: https://docs.microsoft.com/windows-serve
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Standalone Content |
| ID | 66276b14-32c5-4226-88e3-080dacc31ce1 |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | Execution |
| Techniques | T1204 |
| Required Connectors | SecurityEvents, MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
DeviceProcessEvents |
✓ | ✗ | ? | |
Event |
Source == "Microsoft-Windows-Sysmon" |
✓ | ✓ | ? |
SecurityEvent |
EventID == "1" |
✓ | ✓ | ? |
The following connectors provide data for this content item:
| Connector | Solution |
|---|---|
| ESI-Opt34DomainControllersSecurityEventLogs | Microsoft Exchange Security - Exchange On-Premises |
| SecurityEvents | Windows Security Events |
| WindowsSecurityEvents | Windows Security Events |
Solutions: Microsoft Exchange Security - Exchange On-Premises, Windows Security Events
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊