1. Home
  2. Techniques
  3. Enterprise
  4. Log Enumeration

Log Enumeration

Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery).

Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or PowerShell on Windows to access and/or export security event information.[1][2] In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.[3]

Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.

In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.[4]

ID: T1654
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: IaaS, Linux, Windows, macOS
Contributors: Bilal Bahadır Yenici; Menachem Goldstein
Version: 1.1
Created: 10 July 2023
Last Modified: 15 October 2024
Version Permalink

Procedure Examples

ID Name Description
G1023 APT5

APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.[5]
G0143 Aquatic Panda

Aquatic Panda enumerated logs related to authentication in Linux environments prior to deleting selective entries for defense evasion purposes.[6]
S1159 DUSTTRAP

DUSTTRAP can identify infected system log information.[7]
G1003 Ember Bear

Ember Bear has enumerated SECURITY and SYSTEM log files during intrusions.[8]
S1091 Pacu

Pacu can collect CloudTrail event histories and CloudWatch logs.[9]
G1017 Volt Typhoon

Volt Typhoon has used wevtutil.exe and the PowerShell command Get-EventLog security to enumerate Windows logs to search for successful logons.[10][11]

Mitigations

ID Mitigation Description
M1018 User Account Management

Limit the ability to access and export sensitive logs to privileged accounts where possible.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor for the use of commands and arguments of utilities and other tools used to access and export logs.
DS0022 File File Access

Monitor for access to system and service log files, especially from unexpected and abnormal users.
DS0009 Process Process Creation

Monitor for unexpected process activity associated with utilities that can access and export logs, such as wevutil.exe on Windows and CollectGuestLogs.exe on Azure hosted VMs.

References

  1. Ruohonen, S. & Robinson, S. (2023, February 2). No Pineapple! -DPRK Targeting of Medical Research and Technology Sector. Retrieved July 10, 2023.
  2. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  3. Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023.
  4. Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor. Retrieved August 30, 2024.
  5. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  6. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  1. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  2. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  3. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  4. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  5. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.