Query Details
Security Event Audit Policy Manipulation Using Auditpol
Query
let suspicious_subcategories = dynamic([
"Logoff", "0cce9216-69ae-11d9-bed3-505054503030",
"Account Lockout", "0cce9217-69ae-11d9-bed3-505054503030",
"User Account Management", "0cce9235-69ae-11d9-bed3-505054503030",
"Authorization Policy Change", "0cce9231-69ae-11d9-bed3-505054503030"
]);
SecurityEvent
//| where Process =~ "auditpol.exe"
| where (CommandLine has "auditpol" and CommandLine has @"/clear")
or (CommandLine has @"/remove" and CommandLine has_any (@"/user", @"/allusers"))
or (CommandLine has @"/set" and CommandLine has_any ("success:disable", "failure:disable"))// and CommandLine has_any (suspicious_subcategories))
| project TimeGenerated, Computer, Account, Activity, ParentProcessName, Process, CommandLine, SubjectLogonId
Explanation
This query is designed to monitor suspicious activities in a computer system. It defines a set of suspicious subcategories, including "Logoff", "Account Lockout", "User Account Management", and "Authorization Policy Change".
The query then examines security events and filters them based on specific conditions. It looks for events where the command line contains "auditpol" and "/clear", or "/remove" along with either "/user" or "/allusers". It also checks for events where the command line contains "/set" along with either "success:disable" or "failure:disable".
Finally, the query extracts and displays the time the event was generated, the computer where the event occurred, the account involved, the activity, the parent process name, the process, the command line, and the subject logon ID.
Details
Jose Sebastián Canós
Released: February 13, 2023
Tables
Keywords
Operators