Audit Policy Category Discovery via Auditpol.EXE

Rule Info

Name
Audit Policy Category Discovery via Auditpol.EXE
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of auditpol.exe to query audit policy to discover which audit categories are enabled on the system. Attackers may use this information to identify potential gaps in security monitoring and adjust their tactics accordingly. Since, this require elevated privileges, unless it is being used by the administrator for legitimate purposes, it can be considered suspicious and warrants immediate attention.
Date
2026-06-04 00:00:00
Modified
None
Id
4eeec8de-32a3-4649-a460-c3d3ff1f48bc
Tags
attack.discovery attack.t1082
Type
Nextron Sigma feed only (private)

Rule History