Product: Auditbeat
Use-Case: Audit Tampering
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 8 | 2 | 7 | 2 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| audit-log-clear | T1070.001 - Indicator Removal on Host: Clear Windows Event Logs ↳ WA-HA-F-1: First audit log clearance on host ↳ AE-UA-FA: First audit activity type for user ↳ WA-CS: Audit activity on a critical system for user ↳ A-WA-F: Audit log has been cleared on this asset T1562.002 - T1562.002 ↳ AE-UA-FA: First audit activity type for user ↳ WA-CS: Audit activity on a critical system for user |
• AE-UA: All activity for users • WA-HA: Hosts with audit policy/audit log changes |
| process-created | T1546.003 - T1546.003 ↳ A-WMI-Script-Event-Consumers: Suspicious usage of WMI script event consumers on this asset. T1562 - Impair Defenses ↳ A-Sysmon-Driver-Unload: Possible Sysmon driver unloaded on this asset. T1059 - Command and Scripting Interperter ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset T1070 - Indicator Removal on Host ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset T1562.006 - T1562.006 ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset T1070.001 - Indicator Removal on Host: Clear Windows Event Logs ↳ A-EventLog-Tamper: EventLog has been tampered with on this asset |