Auditpol.exe is the command-line utility tool to change Audit Security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events.
The attacker would establish a null session to the target machine and run the command:
C:\>auditpol \\<ip address of target>
This will reveal the current audit status of the system. He or she can choose to disable the auditing by:
C :\>auditpol \\<ip address of target> /disable
This will make changes in the various logs that might register the attacker’s actions. He/she can choose to hide the registry keys changed later on.
The moment that intruders gain administrative privileges, they disable auditing with the help of auditpol.exe. Once they complete their mission, they again turn on auditing by using the same tool (audit.exe).
Attackers can use AuditPol to view defined auditing settings on the target computer, running the following command at the command prompt:
auditpol /get /category:*
Run clearlogs.exe from the command prompt, for clearing application logs
C:\clearlogs.exe -app
External references
- “Auditpol“; Microsoft