Generated docs from job=generate-docs branch=master [ci skip]

redcanaryco · Feb 26, 2024 · 5aef5da · 5aef5da
1 parent 05fc04f
commit 5aef5da
Show file tree

Hide file tree

Showing 9 changed files with 69 additions and 2 deletions.
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1724,6 +1724,7 @@ discovery,T1049,System Network Connections Discovery,3,"System Network Connectio
 discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
+discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell

diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -1140,6 +1140,7 @@ discovery,T1049,System Network Connections Discovery,1,System Network Connection
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
 discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
+discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
 discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell

diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
@@ -2381,6 +2381,7 @@
   - Atomic Test #1: AWS S3 Enumeration [iaas:aws]
 - [T1654 Log Enumeration](../../T1654/T1654.md)
   - Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
+  - Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
 - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
   - Atomic Test #1: Process Discovery - ps [linux, macos]

diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1651,6 +1651,7 @@
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1654 Log Enumeration](../../T1654/T1654.md)
   - Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
+  - Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
 - [T1057 Process Discovery](../../T1057/T1057.md)
   - Atomic Test #2: Process Discovery - tasklist [windows]
   - Atomic Test #3: Process Discovery - Get-Process [windows]

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -97822,6 +97822,20 @@ discovery:
           Ignore"
         name: powershell
         elevation_required: true
+    - name: Enumerate Windows Security Log via WevtUtil
+      auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
+      description: "WevtUtil is a command line tool that can be utilised by adversaries
+        to gather intelligence on a targeted Windows system's logging infrastructure.
+        \n\nBy executing this command, malicious actors can enumerate all available
+        event logs, including both default logs such as Application, Security, and
+        System\nas well as any custom logs created by administrators. \n\nThis information
+        provides valuable insight into the system's logging mechanisms, potentially
+        allowing attackers to identify gaps or weaknesses in the logging configuration"
+      supported_platforms:
+      - windows
+      executor:
+        command: wevtutil enum-logs
+        name: command_prompt
   T1087.004:
     technique:
       x_mitre_platforms:

diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
@@ -79723,6 +79723,20 @@ discovery:
           Ignore"
         name: powershell
         elevation_required: true
+    - name: Enumerate Windows Security Log via WevtUtil
+      auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
+      description: "WevtUtil is a command line tool that can be utilised by adversaries
+        to gather intelligence on a targeted Windows system's logging infrastructure.
+        \n\nBy executing this command, malicious actors can enumerate all available
+        event logs, including both default logs such as Application, Security, and
+        System\nas well as any custom logs created by administrators. \n\nThis information
+        provides valuable insight into the system's logging mechanisms, potentially
+        allowing attackers to identify gaps or weaknesses in the logging configuration"
+      supported_platforms:
+      - windows
+      executor:
+        command: wevtutil enum-logs
+        name: command_prompt
   T1087.004:
     technique:
       x_mitre_platforms:

diff --git a/atomics/T1654/T1654.md b/atomics/T1654/T1654.md
@@ -10,6 +10,8 @@ Adversaries may also target centralized logging infrastructure such as SIEMs. Lo
 
 - [Atomic Test #1 - Get-EventLog To Enumerate Windows Security Log](#atomic-test-1---get-eventlog-to-enumerate-windows-security-log)
 
+- [Atomic Test #2 - Enumerate Windows Security Log via WevtUtil](#atomic-test-2---enumerate-windows-security-log-via-wevtutil)
+
 
 <br/>
 
@@ -47,4 +49,37 @@ powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Enumerate Windows Security Log via WevtUtil
+WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure. 
+
+By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System
+as well as any custom logs created by administrators. 
+
+This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fef0ace1-3550-4bf1-a075-9fea55a778dd
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wevtutil enum-logs
+```
+
+
+
+
+
+
 <br/>