Audit policy change This policy setting determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate?for example, by adding the Debug programs privilege or the Back up files and directories privilege.

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy!Audit policy change (2) WMI: root\rsop\computer#RSOP_AuditPolicy#Success, Failure#Category='AuditPolicyChange' and precedence=1