Investigating "Audit Policy Change via Auditpol" findings

Overview

Findings for this detection may be related to expected software accessing audit policy logging, or it could be malicious actors trying to cover their tracks. Some software conducts this activity in a way that causes the specific logs listed in the finding to show generic process information. To identify the underlying software that is causing this, use Report Builder to search the related logs, and if the activity is malicious, those logs will assist in the investigation into the malicious activity.

Investigating with the command field

If the evidence in the Details section of the finding does not indicate which software conducted the activity, you can usually find the software name by searching other logs that have the same command contained within the command field. Reviewing the data in the process_name and parent_process_name fields of those logs will show us which software caused the activity.

After creating the report, you will review the results under parent_process_name, which will lead you to the name of the software causing the alert.

To review the command field to find the software that caused the finding, do the following:

1. In the finding, under Details, locate the command, which you will use to filter your report in later steps.
   Example: C:\WINDOWS\system32\auditpol.exe /set /subcategory:"Credential Validation" /success:disable /failure:disable
   
2. Keeping open your finding tab, open another browser window and navigate to Reporting > Report Builder.
3. Set Time Range to the timeframe when the activity occurred, and add a few extra minutes before the finding’s start time to include the logs showing the process name, which are usually in the direct lead-up to the activity in the finding’s log evidence.
4. In Data Sources, select Blumira Agent Endpoint Logs and Microsoft Windows, if applicable.
5. Click Edit Report.
6. Add the command,  process_name, and parent_process_name columns to the report, as these fields will show you the process information that caused the activity. Alternatively, you can select Apply Suggested Columns.
7. Click Add Filter and then add a filter that narrows the results to the logs containing the command in the finding.
   Example: command – Contains – C:\WINDOWS\system32\auditpol.exe /set /subcategory:"Credential Validation" /success:disable /failure:disable
8. Click Submit.

Example: As shown in the image below, the report we created using our example's command reveals that the activity in question was caused by Blackpoint’s SnapAgent:

Investigating with process and parent process ID fields

If the evidence of the finding does not indicate which software conducted the activity, a simple way to link parent and child processes is by creating a report to review process_id and parent_process_id data from your logs. This can show you a chain of events with parent-child relationships, and helps to attribute the source of the processes leading to the logs that triggered the finding.

After creating the report, you will review the results under parent_process_name, which will lead you to the name of the software causing the alert.

To create a report to find the software’s name, do the following:

1. In the finding, under Details, locate the parent_process_id and devname values, which you will use to filter your report in later steps.
   Example: The parent process ID is “10412” in the image below.
2. Keeping open your finding tab, open another browser window and navigate to Reporting > Report Builder.
3. Set Time Range to include the time around when the activity occurred. Be sure to include a few minute lead-up as the logs showing the process name information will be included in the direct lead-up to the activity in the finding.
4. In Data Sources, select Blumira Agent Endpoint Logs and Microsoft Windows, if available.
5. Click Edit Report, and add these columns to the report:
   • process_id
   • process_name
   • parent_process_id
   • parent_process_name 
6. Click Add Filter and then add filters to the report to narrow the results to the logs related to the device’s name and the parent process ID in the finding.
   Example:
   devname – Equal – DeviceName.Local
   AND
   process_id – Equal – 10412
7. Click Submit.

Example: As shown in the image below, the report we created using our example's process ID reveals that the activity in question was caused by Blackpoint’s SnapAgent:

Using detection filters

In most instances, expected software conducts the activity causing “Audit Policy Change via Auditpol” findings infrequently, making detection filters unnecessary. Also, it can be difficult to create a secure filter if the way the activity is being conducted by the software causes it to not display its process information in the logs. We recommend contacting the software vendor to see if this non-ideal activity can be stopped.