Skip to content

Latest commit

 

History

History
14 lines (12 loc) · 1.69 KB

r_m_github_github_Audit_Tampering.md

File metadata and controls

14 lines (12 loc) · 1.69 KB
Raw

Rules by Product and UseCase

Vendor: GitHub

Product: GitHub

Use-Case: Audit Tampering

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
4 0 7 1 0
Event Type Rules Models
process-created T1546 - Event Triggered Execution
A-WMI-Script-Event-Consumers: Suspicious usage of WMI script event consumers on this asset.

T1546.003 - T1546.003
A-WMI-Script-Event-Consumers: Suspicious usage of WMI script event consumers on this asset.

T1562 - Impair Defenses
A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset
A-Sysmon-Driver-Unload: Possible Sysmon driver unloaded on this asset.

T1059 - Command and Scripting Interperter
A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset

T1070 - Indicator Removal on Host
A-EventLog-Tamper: EventLog has been tampered with on this asset
A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset

T1562.006 - T1562.006
A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset

T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
A-EventLog-Tamper: EventLog has been tampered with on this asset