Examining Audit Policy Change Events

When a system is compromised, attackers will frequently attempt to disable auditing. The most beneficial way to do this is to modify the audit policy on the domain servers and those of the default domain policy. Then when the domain controller updates all member servers and workstations, they all get the new regulations to stop recording events.

Modifications to the audit policy are recorded as Event ID 4719 in Server 2008 and Event ID 612 in Server 2003. Server 2008 and Server 2003 record these events differently. Server 2008 records the absolute change in audit policy with each change category being recorded in its own event record. Thus, if an attacker turns off auditing for three different audit categories, ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.