Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TR-3997 - New Content - auditpol and audit policy tampering analytics #3299

Open
wants to merge 17 commits into
base: develop
Choose a base branch
from
Open

TR-3997 - New Content - auditpol and audit policy tampering analytics #3299

wants to merge 17 commits into from

Conversation

nasbench
Copy link
Contributor

@nasbench nasbench commented Jan 28, 2025
edited
Loading

This PR adds new analytics related to abuse of auditpol to tamper with audit policy configurations, a corresponding analytic story as well as small updates to older analytics.

New Analytics

  • Windows Audit Policy Cleared via Auditpol
  • Windows Audit Policy Disabled via Auditpol
  • Windows Audit Policy Disabled via Legacy Auditpol
  • Windows Audit Policy Excluded Category Via Auditpol
  • Windows Audit Policy Restored via Auditpol
  • Windows Global Object Access Audit List Cleared via Auditpol
  • Windows Audit Policy Security Descriptor Tampering via Auditpol
  • Windows Important Audit Policy Disabled
  • Windows Audit Policy Auditing Option Disabled via Auditpol
  • Windows Audit Policy Auditing Option Modified - Registry

New Analytic Story

  • Windows Audit Policy Tampering

Updated Analytics

  • Windows AD Domain Controller Audit Policy Disabled

Deprecated Analytics

  • Suspicious Event Log Service Behavior - This was replaced by Windows Event Logging Service Has Shutdown. This change was needed to accurately describe the analytic title.

@nasbench nasbench marked this pull request as ready for review January 29, 2025 11:28
MHaggis
MHaggis previously approved these changes Jan 29, 2025
View reviewed changes
patel-bhavin
patel-bhavin previously approved these changes Feb 5, 2025
View reviewed changes
@patel-bhavin patel-bhavin dismissed stale reviews from MHaggis and themself via e62c67c February 5, 2025 22:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin left review comments

@MHaggis MHaggis MHaggis left review comments

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Detections Macros Stories
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nasbench @MHaggis @patel-bhavin