Vendor: Microsoft
June 14, 2023 · View on GitHub
Product: Windows
Use-Case: Audit Tampering
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 12 | 2 | 7 | 3 | 3 |
| Event Type | Rules | Models |
|---|---|---|
| audit-log-clear | T1070.001 - Indicator Removal on Host: Clear Windows Event Logs ↳ A-WA-F: Audit log has been cleared on this asset ↳ WA-HA-F-1: First audit log clearance on host ↳ AE-UA-FA: First audit activity type for user ↳ WA-CS: Audit activity on a critical system for user T1562.002 - T1562.002 ↳ AE-UA-FA: First audit activity type for user ↳ WA-CS: Audit activity on a critical system for user | • AE-UA: All activity for users • WA-HA: Hosts with audit policy/audit log changes |
| audit-policy-change | T1070.001 - Indicator Removal on Host: Clear Windows Event Logs ↳ AE-UA-FA: First audit activity type for user ↳ WA-CS: Audit activity on a critical system for user T1562.002 - T1562.002 ↳ WA-HA-F-2: First audit policy change on host ↳ AE-UA-FA: First audit activity type for user ↳ WA-CS: Audit activity on a critical system for user | • AE-UA: All activity for users • WA-HA: Hosts with audit policy/audit log changes |
| process-created | T1562.006 - T1562.006 ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion ↳ Sysmon-Driver-Unload: Possible Sysmon driver unloaded. T1059 - Command and Scripting Interperter ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion T1070 - Indicator Removal on Host ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion T1070.001 - Indicator Removal on Host: Clear Windows Event Logs ↳ A-EventLog-Tamper: EventLog has been tampered with on this asset ↳ EventLog-Tamper: EventLog has been tampered with T1546.003 - T1546.003 ↳ A-WMI-Script-Event-Consumers: Suspicious usage of WMI script event consumers on this asset. T1562 - Impair Defenses ↳ A-Sysmon-Driver-Unload: Possible Sysmon driver unloaded on this asset. |