detection.wiki

Detection rules › Splunk

Windows Important Audit Policy Disabled

Author
Nasreddine Bencherchali, Splunk
Source
upstream

The following analytic detects the disabling of important audit policies. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Security-Auditing4719System audit policy was changed.

Stages and Predicates

Stage 1: search

search (AuditPolicyChanges IN ("%%8448", "%%8448, %%8450", "%%8450") OR Changes IN ("Failure removed", "Success removed", "Success removed, Failure removed")) EventCode=4719 SubcategoryGuid IN ("{0CCE9215-69AE-11D9-BED3-505054503030}", "{0CCE922B-69AE-11D9-BED3-505054503030}", "{0CCE922F-69AE-11D9-BED3-505054503030}")

Stage 2: replace

replace

Stage 3: eval

eval ... using (Changes, Subcategory_GUID)

Stage 4: rename

rename

Stage 5: stats

stats BY AuditPolicyChanges, SubcategoryGuid, process_id

Stage 6: lookup

lookup <lookup> Category, GUID, SubCategory, SubcategoryGuid

Stage 7: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AuditPolicyChangesin
  • "%%8448" corpus 2 (splunk 2)
  • "%%8448, %%8450" corpus 2 (splunk 2)
  • "%%8450" corpus 2 (splunk 2)
Changesin
  • "Failure removed" corpus 2 (splunk 2)
  • "Success removed" corpus 2 (splunk 2)
  • "Success removed, Failure removed" corpus 2 (splunk 2)
EventCodeeq
  • 4719 corpus 2 (splunk 2)
SubcategoryGuidin
  • "{0CCE9215-69AE-11D9-BED3-505054503030}"
  • "{0CCE922B-69AE-11D9-BED3-505054503030}"
  • "{0CCE922F-69AE-11D9-BED3-505054503030}"

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.