cscli scenarios install sigmahq/proc_creation_win_auditpol_nt_resource_kit_usage1type: trigger2name: sigmahq/proc_creation_win_auditpol_nt_resource_kit_usage3description: |4 Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.CommandLine contains '/logon:none' || evt.Parsed.CommandLine contains '/system:none' || evt.Parsed.CommandLine contains '/sam:none' || evt.Parsed.CommandLine contains '/privilege:none' || evt.Parsed.CommandLine contains '/object:none' || evt.Parsed.CommandLine contains '/process:none' || evt.Parsed.CommandLine contains '/policy:none')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1562.0021516 label: "Audit Policy Tampering Via NT Resource Kit Auditpol"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324