audit-logs-not-archived: Audit Logs Not Archived When Full

日期: 2025-08-01 | 影响软件: Audit Logs Not Archived | POC: 已公开

漏洞描述

Checks if audit logs are not archived when full, leading to potential data loss.

PoC代码[已公开]

id: audit-logs-not-archived

info:
  name: Audit Logs Not Archived When Full
  author: princechaddha
  severity: high
  description: Checks if audit logs are not archived when full, leading to potential data loss.
  impact: |
    Failure to archive full logs could result in the loss of crucial audit data, hindering forensic analysis and incident response.
  remediation: |
    Enable log archiving to preserve important security event data.
  tags: windows,audit,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    pattern: "*.ps1"
    source: |
      wevtutil get-log security

    matchers:
      - type: word
        words:
          - "retention: false"
# digest: 4a0a00473045022031a2f69be664ee91ab5f1221d2e6cb923a5ebaf2ff7a1c027b42e4bdfa8e4b80022100d96550326b8dc4b1b8c29b91e49d3b0193d9e38243aa3aa477fa16ab31f5bd85:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./code/windows/audit/audit-logs-not-archived.yaml