Query Details
Detecting Modification Of Windows Security Audit Policy Auditpolexe
Query
**Detecting Modification of Windows Security Audit Policy (Auditpol.exe)** Monitoring the execution of auditpol.exe can be crutial to detect first-stage of a real attack because they will be shown as previous steps to obfuscate the next execution such a ransomware. ``` DeviceRegistryEvents | where RegistryValueData startswith "auditpol" ```
Explanation
This query is designed to detect any changes made to the Windows Security Audit Policy using the auditpol.exe tool. It does this by looking at events related to the Windows registry, specifically those where the data in the registry starts with the word "auditpol". This can help identify potential security threats, as attackers might modify audit policies to hide their activities, such as preparing for a ransomware attack.
Details
Sergio Albea
Released: October 29, 2025
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEvents
Operators
startswith