Detecting Execution Of Windows Security Audit Policy Auditpolexe

**Detecting Execution of Windows Security Audit Policy (Auditpol.exe)** Monitoring the execution of auditpol.exe can be crutial to detect first-stage of a real attack because they will be shown as previous steps to obfuscate the next execution such a ransomware ``` DeviceProcessEvents | where AccountName !has "system" and FileName has "auditpol.exe" | summarize by Timestamp,DeviceName,DeviceId,FileName,AccountDomain,InitiatingProcessAccountName,AccountName, ProcessCommandLine, ReportId ```

Explanation

This query is designed to detect when the "auditpol.exe" program is run on a Windows device. "Auditpol.exe" is a tool used to manage and view audit policies, and its execution can be an early indicator of a potential security threat, such as ransomware, because attackers might use it to modify audit settings to cover their tracks.

Here's a simple breakdown of what the query does:

Data Source: It looks at events related to processes on devices (DeviceProcessEvents).
Filter Criteria:
- It excludes any events where the account name includes "system" (to focus on non-system user activities).
- It specifically looks for events where the file name is "auditpol.exe".
Data Output:
- It gathers and summarizes information about each event, including the time it happened (Timestamp), the device's name and ID (DeviceName, DeviceId), the file name (FileName), the domain and account names involved (AccountDomain, AccountName), the name of the account that initiated the process (InitiatingProcessAccountName), the command line used to execute the process (ProcessCommandLine), and a report identifier (ReportId).

In essence, this query helps identify when and where "auditpol.exe" is executed by non-system users, which could be an early sign of malicious activity.

KQL Search

Detecting Execution Of Windows Security Audit Policy Auditpolexe

Query

Explanation

Details

Actions