Audit Logging Disabled

ID: audit-logging-disabled

Severity: high

Author: princechaddha

Tags: windows,audit-logging,security,code,windows-audit

Description

Check if audit logging for critical events is disabled.

YAML Source

id: audit-logging-disabled

info:
  name: Audit Logging Disabled
  author: princechaddha
  severity: high
  description: Check if audit logging for critical events is disabled.
  impact: |
    Disabling audit logging can lead to a lack of traceability for security incidents and breaches.
  remediation: |
    Enable audit logging for all critical security events to maintain a proper audit trail.
  tags: windows,audit-logging,security,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      AuditPol /get /category:"Account Logon"
      AuditPol /get /category:"Account Management"

    matchers:
      - type: word
        words:
          - "User Account Management                 No Auditing"
          - "Computer Account Management             No Auditing"
          - "Security Group Management               No Auditing"
          - "Credential Validation                   No Auditing"
          - "Kerberos Authentication Service         No Auditing"
# digest: 4b0a00483046022100fe71dabfda7137e13789668bc1e7d21da174b4afffc49f8f543d3935bf723ce40221008dfd322fd276de6bde6bf54d432b1932995c35715d0b50f6d3ebf27b9fb8ba5f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "code/windows/audit/audit-logging-disabled.yaml"

View on Github