O'Reilly logo

Mastering Windows Network Forensics and Investigation, 2nd Edition by Scott Pearson, Ryan Johnson, Steve Bunting, Steven Anson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Examining Audit Policy Change Events

When a system is compromised, attackers will frequently attempt to disable auditing. The most beneficial way to do this is to modify the audit policy on the domain servers and those of the default domain policy. Then when the domain controller updates all member servers and workstations, they all get the new regulations to stop recording events.

Modifications to the audit policy are recorded as Event ID 4719 in Server 2008 and Event ID 612 in Server 2003. Server 2008 and Server 2003 record these events differently. Server 2008 records the absolute change in audit policy with each change category being recorded in its own event record. Thus, if an attacker turns off auditing for three different audit categories, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required