From bbb3ec045d3e588d5bb77b56f279d3aa413c215e Mon Sep 17 00:00:00 2001
From: M-khalifa1 <54780924+M-khalifa1@users.noreply.github.com>
Date: Sat, 24 Feb 2024 17:24:45 +0300
Subject: [PATCH 1/3] Create Auditpol.yml

---
 yml/OSBinaries/Auditpol.yml | 38 +++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 yml/OSBinaries/Auditpol.yml

diff --git a/yml/OSBinaries/Auditpol.yml b/yml/OSBinaries/Auditpol.yml
new file mode 100644
index 00000000..68b313ba
--- /dev/null
+++ b/yml/OSBinaries/Auditpol.yml
@@ -0,0 +1,38 @@
+---
+Name: Auditpol.exe
+Description: a command-line tool that allows users to query and set audit policies on Windows systems.
+Author: Mahmoud Khalifa
+Created: 2024-2-24 
+Commands:
+    Command: auditpol /set /subcategory:"System Integrity" /success:disable /failure:disable
+    Description: Disables auditing for system integrity, which is crucial for monitoring and ensuring the integrity of security features and the operating system.
+    Usecase: modify the audit configuration silently and disable or alter important parameters, preventing the creation or recording of Event Logs. 
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1562.002
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10, Windows 11
+  - Command: auditpol /set /subcategory:"Logon" /success:enable /failure:enable
+    Description: Enables auditing for both successful and failed logon attempts.
+    Usecase: Use this command to monitor logon activities, which can help detect unauthorized access attempts.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1562.002
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10,Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\auditpol.exe
+  - Path: C:\Windows\SysWOW64\auditpol.exe
+Code_Sample:
+  - Code: 
+Detection:
+  - IOC: Unexpected changes in audit policies
+  - IOC: auditpol.exe spawned under suspicious circumstances
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml
+Resources:
+  - Link: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy
+  - Link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-audit-policy-settings
+  - Link: https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html
+  - Link: https://help.fortinet.com/fsiem/Public_Resource_Access/7_1_1/rules/PH_RULE_Suspicious_Auditpol_Usage.htm
+Acknowledgement:
+  - Person: Mahmoud Khalifa
+    Handle: N/A
+ 

From 4f1e368b905f2be0af75a11f89d8bb526d1a50ac Mon Sep 17 00:00:00 2001
From: M-khalifa1 <54780924+M-khalifa1@users.noreply.github.com>
Date: Sat, 24 Feb 2024 17:40:07 +0300
Subject: [PATCH 2/3] Update Auditpol.yml

---
 yml/OSBinaries/Auditpol.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/yml/OSBinaries/Auditpol.yml b/yml/OSBinaries/Auditpol.yml
index 68b313ba..cac27ecb 100644
--- a/yml/OSBinaries/Auditpol.yml
+++ b/yml/OSBinaries/Auditpol.yml
@@ -1,10 +1,10 @@
 ---
 Name: Auditpol.exe
 Description: a command-line tool that allows users to query and set audit policies on Windows systems.
-Author: Mahmoud Khalifa
+Author: 'Mahmoud Khalifa'
 Created: 2024-2-24 
 Commands:
-    Command: auditpol /set /subcategory:"System Integrity" /success:disable /failure:disable
+  - Command: auditpol /set /subcategory:"System Integrity" /success:disable /failure:disable
     Description: Disables auditing for system integrity, which is crucial for monitoring and ensuring the integrity of security features and the operating system.
     Usecase: modify the audit configuration silently and disable or alter important parameters, preventing the creation or recording of Event Logs. 
     Category: Execute
@@ -34,5 +34,4 @@ Resources:
   - Link: https://help.fortinet.com/fsiem/Public_Resource_Access/7_1_1/rules/PH_RULE_Suspicious_Auditpol_Usage.htm
 Acknowledgement:
   - Person: Mahmoud Khalifa
-    Handle: N/A
  

From 41dc3d9c2f88311cc9a4494a3ec91545e75fcafd Mon Sep 17 00:00:00 2001
From: M-khalifa1 <54780924+M-khalifa1@users.noreply.github.com>
Date: Sat, 24 Feb 2024 17:51:04 +0300
Subject: [PATCH 3/3] Update Auditpol.yml

---
 yml/OSBinaries/Auditpol.yml | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/yml/OSBinaries/Auditpol.yml b/yml/OSBinaries/Auditpol.yml
index cac27ecb..d2ae179d 100644
--- a/yml/OSBinaries/Auditpol.yml
+++ b/yml/OSBinaries/Auditpol.yml
@@ -1,28 +1,28 @@
 ---
 Name: Auditpol.exe
-Description: a command-line tool that allows users to query and set audit policies on Windows systems.
+Description: a command-line tool that allows users to query and set audit policies on Windows systems
 Author: 'Mahmoud Khalifa'
-Created: 2024-2-24 
+Created: 2024-02-24
 Commands:
   - Command: auditpol /set /subcategory:"System Integrity" /success:disable /failure:disable
-    Description: Disables auditing for system integrity, which is crucial for monitoring and ensuring the integrity of security features and the operating system.
-    Usecase: modify the audit configuration silently and disable or alter important parameters, preventing the creation or recording of Event Logs. 
+    Description: Disables auditing for system integrity, which is crucial for monitoring and ensuring the integrity of security features and the operating system
+    Usecase: Modify the audit configuration silently and disable or alter important parameters, preventing the creation or recording of Event Logs
     Category: Execute
     Privileges: Administrator
     MitreID: T1562.002
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10, Windows 11
   - Command: auditpol /set /subcategory:"Logon" /success:enable /failure:enable
-    Description: Enables auditing for both successful and failed logon attempts.
-    Usecase: Use this command to monitor logon activities, which can help detect unauthorized access attempts.
+    Description: Enables auditing for both successful and failed logon attempts
+    Usecase: Use this command to monitor logon activities, which can help detect unauthorized access attempts
     Category: Execute
     Privileges: Administrator
     MitreID: T1562.002
-    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10,Windows 11
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\auditpol.exe
   - Path: C:\Windows\SysWOW64\auditpol.exe
 Code_Sample:
-  - Code: 
+  - Code: null
 Detection:
   - IOC: Unexpected changes in audit policies
   - IOC: auditpol.exe spawned under suspicious circumstances
@@ -34,4 +34,3 @@ Resources:
   - Link: https://help.fortinet.com/fsiem/Public_Resource_Access/7_1_1/rules/PH_RULE_Suspicious_Auditpol_Usage.htm
 Acknowledgement:
   - Person: Mahmoud Khalifa
-