From 093ce0f0cc80d3e143d6f2fac6441d7e253ddac2 Mon Sep 17 00:00:00 2001
From: 0-etep <149734919+0-etep@users.noreply.github.com>
Date: Thu, 2 Nov 2023 23:18:51 +0000
Subject: [PATCH 1/4] Create T1654.yml

---
 atomics/T1654/T1654.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 atomics/T1654/T1654.yml

diff --git a/atomics/T1654/T1654.yml b/atomics/T1654/T1654.yml
new file mode 100644
index 0000000000..06b6174193
--- /dev/null
+++ b/atomics/T1654/T1654.yml
@@ -0,0 +1,19 @@
+attack_technique: T1654
+display_name: "Log Enumeration"
+atomic_tests:
+- name: Get-EventLog To Enumerate Windows Security Log
+  auto_generated_guid: 
+  description: |-
+    Uses the built-in PowerShell commandlet Get-EventLog to search for 'SYSTEM' keyword and saves results to a text file.
+
+    Successful execution will save matching log events to the users temp folder.
+  supported_platforms:
+  - windows
+  input_arguments: 
+  dependency_executor_name: 
+  dependencies: 
+  executor:
+    command: powershell -c "get-eventlog 'Security' | where {$_.Message -like '*SYSTEM*'} | export-csv $env:temp\T1654_events.txt"
+    cleanup_command: powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"
+    name: powershell
+    elevation_required: true

From 7c0079032d997061d1a540bd3fafc02d8f584cb3 Mon Sep 17 00:00:00 2001
From: 0-etep <149734919+0-etep@users.noreply.github.com>
Date: Fri, 3 Nov 2023 07:29:45 +0000
Subject: [PATCH 2/4] Rename T1654.yml to T1654.yaml

---
 atomics/T1654/{T1654.yml => T1654.yaml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename atomics/T1654/{T1654.yml => T1654.yaml} (100%)

diff --git a/atomics/T1654/T1654.yml b/atomics/T1654/T1654.yaml
similarity index 100%
rename from atomics/T1654/T1654.yml
rename to atomics/T1654/T1654.yaml

From be71bac26e9049338eef584c04e9dca1147763e2 Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Mon, 6 Nov 2023 16:52:39 -0500
Subject: [PATCH 3/4] add link to dfir report

---
 atomics/T1654/T1654.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/atomics/T1654/T1654.yaml b/atomics/T1654/T1654.yaml
index 06b6174193..a0b032d63f 100644
--- a/atomics/T1654/T1654.yaml
+++ b/atomics/T1654/T1654.yaml
@@ -2,10 +2,12 @@ attack_technique: T1654
 display_name: "Log Enumeration"
 atomic_tests:
 - name: Get-EventLog To Enumerate Windows Security Log
-  auto_generated_guid: 
   description: |-
     Uses the built-in PowerShell commandlet Get-EventLog to search for 'SYSTEM' keyword and saves results to a text file.
 
+    This technique was observed in a (TheDFIRReport case)[https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/] 
+    where the threat actor enumerated the Windows Security audit log to determine user accounts and associated IPv4 addresses.
+
     Successful execution will save matching log events to the users temp folder.
   supported_platforms:
   - windows

From a7361a0daceb854e7a0f49e9df296aea6f474471 Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Mon, 6 Nov 2023 19:22:32 -0500
Subject: [PATCH 4/4] Update T1654.yaml

---
 atomics/T1654/T1654.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/atomics/T1654/T1654.yaml b/atomics/T1654/T1654.yaml
index a0b032d63f..631ed26394 100644
--- a/atomics/T1654/T1654.yaml
+++ b/atomics/T1654/T1654.yaml
@@ -11,9 +11,6 @@ atomic_tests:
     Successful execution will save matching log events to the users temp folder.
   supported_platforms:
   - windows
-  input_arguments: 
-  dependency_executor_name: 
-  dependencies: 
   executor:
     command: powershell -c "get-eventlog 'Security' | where {$_.Message -like '*SYSTEM*'} | export-csv $env:temp\T1654_events.txt"
     cleanup_command: powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"