Product: GravityZone
Use-Case: Audit Tampering
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 7 | 0 | 3 | 4 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| process-created | T1070 - Indicator Removal on Host ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ A-CSharp-Interactive-Console: Execution of CSharp interactive console by PowerShell on this asset. ↳ ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion ↳ OpenWith-Exec-Cmd: OpenWith.exe executed via command line T1070.001 - Indicator Removal on Host: Clear Windows Event Logs ↳ A-EventLog-Tamper: EventLog has been tampered with on this asset ↳ EventLog-Tamper: EventLog has been tampered with T1047 - Windows Management Instrumentation ↳ A-WMI-Spawn-PowerShell: PowerShell was spawned via WMI on this asset. |