Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -1193,6 +1193,7 @@ discovery,T1087.002,Account Discovery: Domain Account,13,Enumerate Linked Polici
 discovery,T1087.002,Account Discovery: Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
 discovery,T1087.002,Account Discovery: Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
 discovery,T1087.002,Account Discovery: Domain Account,16,Kerbrute - userenum,f450461c-18d1-4452-9f0d-2c42c3f08624,powershell
+discovery,T1087.002,Account Discovery: Domain Account,17,Wevtutil - Discover NTLM Users Remote,b8a563d4-a836-4993-a74e-0a19b8481bfe,powershell
 discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -852,6 +852,7 @@ discovery,T1087.002,Account Discovery: Domain Account,13,Enumerate Linked Polici
 discovery,T1087.002,Account Discovery: Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
 discovery,T1087.002,Account Discovery: Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
 discovery,T1087.002,Account Discovery: Domain Account,16,Kerbrute - userenum,f450461c-18d1-4452-9f0d-2c42c3f08624,powershell
+discovery,T1087.002,Account Discovery: Domain Account,17,Wevtutil - Discover NTLM Users Remote,b8a563d4-a836-4993-a74e-0a19b8481bfe,powershell
 discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
 discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
 discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -1915,6 +1915,7 @@
   - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
   - Atomic Test #15: WinPwn - generaldomaininfo [windows]
   - Atomic Test #16: Kerbrute - userenum [windows]
+  - Atomic Test #17: Wevtutil - Discover NTLM Users Remote [windows]
 - T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #1: Enumerate all accounts (Local) [linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1389,6 +1389,7 @@
   - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
   - Atomic Test #15: WinPwn - generaldomaininfo [windows]
   - Atomic Test #16: Kerbrute - userenum [windows]
+  - Atomic Test #17: Wevtutil - Discover NTLM Users Remote [windows]
 - T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]

atomics/Indexes/index.yaml

@@ -84975,6 +84975,29 @@ discovery:
           cd $env:temp
           .\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} $env:TEMP\username.txt
         name: powershell
+    - name: Wevtutil - Discover NTLM Users Remote
+      auto_generated_guid: b8a563d4-a836-4993-a74e-0a19b8481bfe
+      description: "This test discovers users who have authenticated against a Domain
+        Controller via NTLM. \nThis is done remotely via wmic and captures the event
+        code 4776 from the domain controller and stores the ouput in C:\\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        Domain:
+          description: Domain that is being tested against
+          type: string
+          default: "$env:USERDOMAIN"
+        DomainController:
+          description: Domain Controller that is being tested against
+          type: string
+          default: "$env:UserDnsDomain"
+      executor:
+        command: wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security
+          C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
+        cleanup_command: 'Remove-Item C:\Temp\ntlmusers.evtx
+
+          '
+        name: powershell
   T1063:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -74355,6 +74355,29 @@ discovery:
           cd $env:temp
           .\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} $env:TEMP\username.txt
         name: powershell
+    - name: Wevtutil - Discover NTLM Users Remote
+      auto_generated_guid: b8a563d4-a836-4993-a74e-0a19b8481bfe
+      description: "This test discovers users who have authenticated against a Domain
+        Controller via NTLM. \nThis is done remotely via wmic and captures the event
+        code 4776 from the domain controller and stores the ouput in C:\\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        Domain:
+          description: Domain that is being tested against
+          type: string
+          default: "$env:USERDOMAIN"
+        DomainController:
+          description: Domain Controller that is being tested against
+          type: string
+          default: "$env:UserDnsDomain"
+      executor:
+        command: wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security
+          C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
+        cleanup_command: 'Remove-Item C:\Temp\ntlmusers.evtx
+
+          '
+        name: powershell
   T1063:
     technique:
       x_mitre_platforms:

atomics/T1087.002/T1087.002.md

@@ -38,6 +38,8 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code
 
 - [Atomic Test #16 - Kerbrute - userenum](#atomic-test-16---kerbrute---userenum)
 
+- [Atomic Test #17 - Wevtutil - Discover NTLM Users Remote](#atomic-test-17---wevtutil---discover-ntlm-users-remote)
+
 
 <br/>
 
@@ -658,4 +660,43 @@ invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #17 - Wevtutil - Discover NTLM Users Remote
+This test discovers users who have authenticated against a Domain Controller via NTLM. 
+This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b8a563d4-a836-4993-a74e-0a19b8481bfe
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| Domain | Domain that is being tested against | string | $env:USERDOMAIN|
+| DomainController | Domain Controller that is being tested against | string | $env:UserDnsDomain|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item C:\Temp\ntlmusers.evtx
+```
+
+
+
+
+
 <br/>