Atomic Red Team GUID generator
34 lines
1.8 KiB
YAML
34 lines
1.8 KiB
YAML
attack_technique: T1654
|
|
display_name: "Log Enumeration"
|
|
atomic_tests:
|
|
- name: Get-EventLog To Enumerate Windows Security Log
|
|
auto_generated_guid: a9030b20-dd4b-4405-875e-3462c6078fdc
|
|
description: |-
|
|
Uses the built-in PowerShell commandlet Get-EventLog to search for 'SYSTEM' keyword and saves results to a text file.
|
|
|
|
This technique was observed in a [TheDFIRReport case](https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/)
|
|
where the threat actor enumerated the Windows Security audit log to determine user accounts and associated IPv4 addresses.
|
|
|
|
Successful execution will save matching log events to the users temp folder.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: powershell -c {get-eventlog 'Security' | where {$_.Message -like '*SYSTEM*'} | export-csv $env:temp\T1654_events.txt}
|
|
cleanup_command: powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: Enumerate Windows Security Log via WevtUtil
|
|
auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
|
|
description: |-
|
|
WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure.
|
|
|
|
By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System
|
|
as well as any custom logs created by administrators.
|
|
|
|
This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: wevtutil enum-logs
|
|
name: command_prompt
|