https://www.verboon.info/tags/advancedhunting/Recent content in Advancedhunting on Anything About ITHugoen-usSun, 26 Sep 2021 20:15:06 +0000https://www.verboon.info/2021/09/detect-audit-policy-modifications-with-microsoft-365-defender/Sun, 26 Sep 2021 20:15:06 +0000https://www.verboon.info/2021/09/detect-audit-policy-modifications-with-microsoft-365-defender/<p>Hello there,</p> <p>In today&rsquo;s blog post I want to share with you an advanced hunting query to detect audit policy modifications using Microsoft Defender 365 advanced hunting. Following the MITRE ATT&amp;CK framework this would be <a href="https://attack.mitre.org/techniques/T1484/001/">T1484.001 Domain Policy Modification: Group Policy Modification</a>.</p> <p>Microsoft Defender for Endpoint can help us detect audit policy modifications by running the following query:</p> <p> <img src="092621_1955_DetectAudit1.png" alt=""> </p> <p>Detailed information about the audit policy changes is displayed in the AdditionalFields data. Now all we need to do is to translate these values into human readable data.</p>