Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This detects attempts to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it. Refer to auditpol syntax: https://docs.microsoft.com/windows-serve
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Standalone Content |
| ID | 66276b14-32c5-4226-88e3-080dacc31ce1 |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | Execution |
| Techniques | T1204 |
| Required Connectors | SecurityEvents, MicrosoftThreatProtection |
| Source | View on GitHub |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊