Product: Falcon
Use-Case: Audit Tampering
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 7 | 0 | 6 | 27 | 27 |
| Event Type | Rules | Models |
|---|---|---|
| process-created | T1562.006 - T1562.006 ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion ↳ Sysmon-Driver-Unload: Possible Sysmon driver unloaded. T1059 - Command and Scripting Interperter ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion T1070 - Indicator Removal on Host ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion T1070.001 - Indicator Removal on Host: Clear Windows Event Logs ↳ A-EventLog-Tamper: EventLog has been tampered with on this asset ↳ EventLog-Tamper: EventLog has been tampered with T1546.003 - T1546.003 ↳ A-WMI-Script-Event-Consumers: Suspicious usage of WMI script event consumers on this asset. T1562 - Impair Defenses ↳ A-Sysmon-Driver-Unload: Possible Sysmon driver unloaded on this asset. |