title: Suspicious Auditpol Usage
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021/02/02
description: Threat actors can use auditpol binary to change audit policy configuration
  to impair detection capability. This can be carried out by selectively disabling/removing
  certain audit policies as well as restoring a custom policy owned by the threat
  actor.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\auditpol.exe'
  SELECTION_3:
    CommandLine:
    - '*disable*'
    - '*clear*'
    - '*remove*'
    - '*restore*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Admin activity
id: 0a13e132-651d-11eb-ae93-0242ac130002
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/02/02
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.002
ruletype: SIGMA