Use Case: Audit Tampering

April 15, 2026 · View on GitHub

Use Case: Audit Tampering

Vendor: BeyondTrust

ProductMITRE ATT&CK® TTPContent
BeyondTrustT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Cisco

ProductMITRE ATT&CK® TTPContent
Cisco IOST1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Cisco Network SecurityT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Citrix

ProductMITRE ATT&CK® TTPContent
Citrix GatewayT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: CrowdStrike

ProductMITRE ATT&CK® TTPContent
FalconT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.002 - T1562.002
T1562.006 - T1562.006
  • 8 Rules
  • 2 Models

Vendor: Delinea

ProductMITRE ATT&CK® TTPContent
Centrify Infrastructure ServicesT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Digital Guardian

ProductMITRE ATT&CK® TTPContent
Digital Guardian Endpoint ProtectionT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Digital Guardian Network DLPT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Dtex Systems

ProductMITRE ATT&CK® TTPContent
DTEX InTERCEPTT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: FreeBSD

ProductMITRE ATT&CK® TTPContent
FreeBSDT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: GitHub

ProductMITRE ATT&CK® TTPContent
GitHubT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: HelpSystems

ProductMITRE ATT&CK® TTPContent
Powertech Identity and Access ManagerT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Huawei

ProductMITRE ATT&CK® TTPContent
Huawei Unified Security GatewayT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Jamf

ProductMITRE ATT&CK® TTPContent
Jamf ProtectT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Juniper Networks

ProductMITRE ATT&CK® TTPContent
Junos OST1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: LogRhythm

ProductMITRE ATT&CK® TTPContent
LogRhythmT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Microsoft

ProductMITRE ATT&CK® TTPContent
Azure Monitor - VM InsightsT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Event Viewer - ApplicationT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Event Viewer - PowerShellT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Event Viewer - SecurityT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.002 - T1562.002
T1562.006 - T1562.006
  • 9 Rules
  • 2 Models
Event Viewer - SystemT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.002 - T1562.002
T1562.006 - T1562.006
  • 8 Rules
  • 2 Models
Microsoft DefenderT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Microsoft SentinelT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Microsoft WMI LogT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
SysmonT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Oracle

ProductMITRE ATT&CK® TTPContent
SolarisT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: SentinelOne

ProductMITRE ATT&CK® TTPContent
Singularity PlatformT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: SkySea

ProductMITRE ATT&CK® TTPContent
SkySea ClientViewT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Trend Micro

ProductMITRE ATT&CK® TTPContent
Deep SecurityT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: Unix

ProductMITRE ATT&CK® TTPContent
AuditbeatT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
UnixT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Unix AuditdT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor: VMware

ProductMITRE ATT&CK® TTPContent
Carbon Black App ControlT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Carbon Black CEST1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Carbon Black EDRT1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules

Vendor:

ProductMITRE ATT&CK® TTPContent
T1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.002 - T1562.002
T1562.006 - T1562.006
  • 8 Rules
  • 2 Models