security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding new test for T1654 for Enumerate Windows Security Log (#2704)

Browse Source 
* Adding new test for T1654 for Enumerate Windows Security Log via WevtUtil

Adding new test for T1654 for Enumerate Windows Security Log via WevtUtil

* Update T1654.yaml

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
chefengineer
2024-02-27 02:16:32 +11:00
committed by GitHub
parent d7cdd5d68a
commit a09cebd1a3
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1654/T1654.yaml
+13
View File
@@ -17,3 +17,16 @@ atomic_tests:
cleanup_command: powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"
name: powershell
elevation_required: true
- name: Enumerate Windows Security Log via WevtUtil
description: |-
WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure.
By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System
as well as any custom logs created by administrators.
This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration
supported_platforms:
- windows
executor:
command: wevtutil enum-logs
name: command_prompt