Windows.System.AuditPolicy

Uses auditpol to retrieve the logging settings defined in the Windows Audit Policy.

Use this artifact to determine which Windows event logs are audited and identify audit configuration discrepancies across the environment.


name: Windows.System.AuditPolicy

description: |
   Uses auditpol to retrieve the logging settings defined in the Windows Audit
   Policy.

   Use this artifact to determine which Windows event logs are audited and
   identify audit configuration discrepancies across the environment.

type: CLIENT

author: Zach Stanford - @svch0st

implied_permissions:
  - EXECVE

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      LET output = SELECT * FROM execve(
        argv=["auditpol.exe","/get","/category:*","/r"])

      SELECT * FROM foreach(
        row=output,
        query={
            SELECT * FROM parse_csv(filename=Stdout,accessor="data")
        }
      )