New Atomic - T1654 Log Enumeration

atomics/T1654/T1654.yaml

@@ -0,0 +1,18 @@
+attack_technique: T1654
+display_name: "Log Enumeration"
+atomic_tests:
+- name: Get-EventLog To Enumerate Windows Security Log
+  description: |-
+    Uses the built-in PowerShell commandlet Get-EventLog to search for 'SYSTEM' keyword and saves results to a text file.
+
+    This technique was observed in a (TheDFIRReport case)[https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/] 
+    where the threat actor enumerated the Windows Security audit log to determine user accounts and associated IPv4 addresses.
+
+    Successful execution will save matching log events to the users temp folder.
+  supported_platforms:
+  - windows
+  executor:
+    command: powershell -c "get-eventlog 'Security' | where {$_.Message -like '*SYSTEM*'} | export-csv $env:temp\T1654_events.txt"
+    cleanup_command: powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"
+    name: powershell
+    elevation_required: true