{
	"id": "10ec558e-f5ea-4039-b8eb-73fc7c800d4a",
	"created_at": "2026-04-06T00:06:36.80079Z",
	"updated_at": "2026-04-10T13:12:14.299616Z",
	"deleted_at": null,
	"sha1_hash": "041c2718e6084f10bb9631236726daefa5d0d7dd",
	"title": "auditpol.exe | Audit Policy Program",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105200,
	"plain_text": "auditpol.exe | Audit Policy Program\r\nArchived: 2026-04-05 23:09:51 UTC\r\nauditpol.exePermalink\r\nFile Path: C:\\Windows\\SysWOW64\\auditpol.exe\r\nDescription: Audit Policy Program\r\nHashesPermalink\r\nType Hash\r\nMD5 214E0EA1F7F7C27C82D23F183F9D23F1\r\nSHA1 D19837AFE4A9F8631E6F68D1A354E072AEA89388\r\nSHA256 7F5B9DCC8F4825D19D9C7B6A82A149DB624E39E0E2B8819317332FA7713C58C5\r\nSHA384 C763941493B9D86F2A3647B580FFF282ED7F700B5110488CB80EB0BE07DBE0E422F0F22403CADDFEE0847BC547A2E9CA\r\nSHA512 7B067F00510F830872655244D454B26987D118017E7A447ECA77CCD1221814C08753E96066D05818416AE44E65E9B7CBF22DD03BD574FB64388835B328C\r\nSSDEEP 768:Aay2Mii5gL4cu7yp+RKSCIbEIbMhfdy3vf7aG:HdfTLg++RxCubady3vf7\r\nRuntime DataPermalink\r\nUsage (stdout):Permalink\r\nUsage: AuditPol command [\u003csub-command\u003e\u003coptions\u003e]\r\nCommands (only one command permitted per execution)\r\n /? Help (context-sensitive)\r\n /get Displays the current audit policy.\r\n /set Sets the audit policy.\r\n /list Displays selectable policy elements.\r\n /backup Saves the audit policy to a file.\r\n /restore Restores the audit policy from a file.\r\n /clear Clears the audit policy.\r\n /remove Removes the per-user audit policy for a user account.\r\n /resourceSACL Configure global resource SACLs\r\nUse AuditPol \u003ccommand\u003e /? for details on each command\r\nUsage (stderr):Permalink\r\nError 0x00000057 occurred:\r\nThe parameter is incorrect.\r\nSignaturePermalink\r\nStatus: Signature verified.\r\nSerial: 33000000BCE120FDD27CC8EE930000000000BC\r\nThumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E\r\nIssuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington,\r\nC=US\r\nSubject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US\r\nOriginal Filename: AUDITPOL.EXE.MUI\r\nProduct Name: Microsoft Windows Operating System\r\nCompany Name: Microsoft Corporation\r\nhttps://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html\r\nPage 1 of 4\n\nFile Version: 10.0.14393.0 (rs1_release.160715-1616)\r\nProduct Version: 10.0.14393.0\r\nLanguage: English (United States)\r\nLegal Copyright: Microsoft Corporation. All rights reserved.\r\nPossible MisusePermalink\r\nThe following table contains possible examples of auditpol.exe being misused. While auditpol.exe is not inherently\r\nmalicious, its legitimate functionality can be abused for malicious purposes.\r\nSource Source File Example\r\nsigma proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml title: Suspicious NT Resource Kit Auditpol Usage\r\nsigma proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml\r\ndescription: Threat actors can use an older version of the auditpo\r\navailable inside the NT resource kit to change audit policy config\r\nto impair detection capability. This can be carried out by selectiv\r\ndisabling/removing certain audit policies as well as restoring a c\r\npolicy owned by the threat actor.\r\nsigma proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml\r\n- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/\r\nsigma proc_creation_win_sus_auditpol_usage.yml title: Suspicious Auditpol Usage\r\nsigma proc_creation_win_sus_auditpol_usage.yml\r\ndescription: Threat actors can use auditpol binary to change audit\r\nconfiguration to impair detection capability. This can be carried o\r\nselectively disabling/removing certain audit policies as well as re\r\na custom policy owned by the threat actor.\r\nsigma proc_creation_win_sus_auditpol_usage.yml Image\\|endswith: '\\auditpol.exe'\r\natomic-red-team\r\nT1562.002.md\r\nUse the cleanup commands to restore some default auditpol settings (your\r\nsettings will be lost)\r\natomic-red-team\r\nT1562.002.md auditpol /set /category:”Account Logon” /success:disable /failure:disable\r\natomic-red-team\r\nT1562.002.md auditpol /set /category:”Logon/Logoff” /success:disable /failure:disable\r\natomic-red-team\r\nT1562.002.md auditpol /set /category:”Detailed Tracking” /success:disable\r\natomic-red-team\r\nT1562.002.md auditpol /set /category:”Account Logon” /success:enable /failure:enable\r\natomic-red-teamT1562.002.md auditpol /set /category:”Detailed Tracking” /success:enable\r\nhttps://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html\r\nPage 2 of 4\n\nSource Source File Example\r\natomic-red-team\r\nT1562.002.md auditpol /set /category:”Logon/Logoff” /success:enable /failure:enable\r\natomic-red-team\r\nT1562.002.md\r\nClear the Windows audit policy using auditpol utility. This action would st\r\naudit events from being recorded in the security log.\r\natomic-red-team\r\nT1562.002.md auditpol /clear /y\r\natomic-red-team\r\nT1562.002.md auditpol /remove /allusers\r\nAdditional Info*Permalink\r\n*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0\r\nlicense.\r\nauditpolPermalink\r\nDisplays information about and performs functions to manipulate audit policies, including:\r\nSetting and querying a system audit policy.\r\nSetting and querying a per-user audit policy.\r\nSetting and querying auditing options.\r\nSetting and querying the security descriptor used to delegate access to an audit policy.\r\nReporting or backing up an audit policy to a comma-separated value (CSV) text file.\r\nLoading an audit policy from a CSV text file.\r\nConfiguring global resource SACLs.\r\nSyntaxPermalink\r\nauditpol command [\u003csub-command\u003e\u003coptions\u003e]\r\nParametersPermalink\r\nSub-command\r\nDescription\r\n/get Displays the current audit policy. For more information, see auditpol get for syntax and options.\r\n/set Sets the audit policy. For more information, see auditpol set for syntax and options.\r\n/list Displays selectable policy elements. For more information, see auditpol list for syntax and options.\r\n/backup Saves the audit policy to a file. For more information, see auditpol backup for syntax and options.\r\nhttps://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html\r\nPage 3 of 4\n\nSub-command\r\nDescription\r\n/restore\r\nRestores the audit policy from a file that was previously created by using auditpol /backup. For more\r\ninformation, see auditpol restore for syntax and options.\r\n/clear Clears the audit policy. For more information, see auditpol clear for syntax and options.\r\n/remove\r\nRemoves all per-user audit policy settings and disables all system audit policy settings. For more\r\ninformation, see auditpol remove for syntax and options.\r\n/resourceSACL\r\nConfigures global resource system access control lists (SACLs). Note: Applies only to Windows 7\r\nand Windows Server 2008 R2. For more information, see auditpol resourceSACL.\r\n/? Displays help at the command prompt.\r\nAdditional ReferencesPermalink\r\nCommand-Line Syntax Key\r\nMIT License. Copyright (c) 2020-2021 Strontic.\r\nSource: https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html\r\nhttps://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html"
	],
	"report_names": [
		"auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433996,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/041c2718e6084f10bb9631236726daefa5d0d7dd.pdf",
		"text": "https://archive.orkl.eu/041c2718e6084f10bb9631236726daefa5d0d7dd.txt",
		"img": "https://archive.orkl.eu/041c2718e6084f10bb9631236726daefa5d0d7dd.jpg"
	}
}