Skip to main content

Overview

The AuditPolicies command enumerates both classic and advanced audit policy settings configured on the system. These policies determine what security events are logged by Windows, providing crucial insight into what activities will be visible to defenders through event logs. Understanding audit policies helps assess the visibility and logging posture of a target system, indicating what actions might be detected or remain unlogged.

Syntax

Seatbelt.exe AuditPolicies
This command does not support remote execution. Use AuditPolicyRegistry for remote enumeration.

Output

The command returns audit policy configuration including:
  • Classic audit policies (9 categories)
  • Advanced audit policies (subcategories)
  • Success/Failure audit settings
  • Policy enforcement status
  • Category-specific settings

Audit Categories

  • System
  • Logon/Logoff
  • Object Access
  • Privilege Use
  • Detailed Tracking
  • Policy Change
  • Account Management
  • Directory Service Access
  • Account Logon

Use Cases

  • Red Team
  • Blue Team
  • Identify which activities will generate event logs
  • Discover logging blind spots for stealthy operations
  • Plan actions to minimize forensic footprint
  • Assess detection surface before executing techniques
  • Understand which credential theft methods might be logged
  • Determine if process creation is audited

Example Output

====== AuditPolicies ======

Classic Audit Policies:
  Audit System Events              : Success and Failure
  Audit Logon Events               : Success and Failure
  Audit Object Access              : No Auditing
  Audit Privilege Use              : No Auditing
  Audit Process Tracking           : Success
  Audit Policy Change              : Success
  Audit Account Management         : Success and Failure
  Audit Directory Service Access   : No Auditing
  Audit Account Logon Events       : Success and Failure

Advanced Audit Policies:
  Credential Validation            : Success and Failure
  Kerberos Authentication Service  : Success and Failure
  Process Creation                 : Success
  Logon                            : Success and Failure
  Special Logon                    : Success
  Security Group Management        : Success

Remote Execution

This command does NOT support remote execution.
For remote audit policy enumeration, use the AuditPolicyRegistry command instead, which reads audit settings from the registry and supports the -computername parameter.

Detection Considerations

This command has limited detection surface:
  • API Calls: Uses AuditQuerySystemPolicy and AuditEnumerateCategories APIs
  • Privilege Level: Typically requires local administrator privileges
  • Event Logs: May generate Security event 4719 (System audit policy changed) if policy is modified
  • EDR Telemetry: Security products may log API calls to audit policy functions

Defensive Recommendations

While enumeration itself is low-risk, it often precedes malicious activity:
  • Monitor for execution of reconnaissance tools
  • Alert on multiple enumeration commands from single process
  • Track access to security policy APIs
  • Correlate with other suspicious activities
  • Enable process creation logging (Event ID 4688)
  • Consider application whitelisting to prevent unauthorized tools
Attackers often check audit policies early in the reconnaissance phase to understand their detection risk. This activity combined with other enumeration is a strong indicator of reconnaissance.