Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery).
Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or PowerShell on Windows to access and/or export security event information.[1][2] In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.[3]
Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.[4]
| ID | Name | Description |
|---|---|---|
| S1194 | Akira _v2 |
Akira _v2 can enumerate the trace, debug, error, info, and warning logs on targeted systems.[5][6] |
| G1023 | APT5 |
APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.[7] |
| G0143 | Aquatic Panda |
Aquatic Panda enumerated logs related to authentication in Linux environments prior to deleting selective entries for defense evasion purposes.[8] |
| S1246 | BeaverTail |
BeaverTail has identified .ldb and .log files stored in browser extension directories for collection and exfiltration.[9] |
| S1159 | DUSTTRAP | |
| G1003 | Ember Bear |
Ember Bear has enumerated SECURITY and SYSTEM log files during intrusions.[11] |
| S1191 | Megazord |
Megazord has the ability to print the trace, debug, error, info, and warning logs.[6] |
| G0129 | Mustang Panda |
Mustang Panda has used Wevtutil to gather Windows Security Event Logs.[12] |
| S1091 | Pacu |
Pacu can collect CloudTrail event histories and CloudWatch logs.[13] |
| G1017 | Volt Typhoon |
Volt Typhoon has used |
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management |
Limit the ability to access and export sensitive logs to privileged accounts where possible. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0255 | Detection Strategy for Log Enumeration | AN0705 |
Monitor for use of native utilities such as wevtutil.exe or PowerShell cmdlets (Get-WinEvent, Get-EventLog) to enumerate or export logs. Unusual access to security or system event channels, especially by non-administrative users or processes, should be correlated with subsequent file export or network transfer activity. |
| AN0706 |
Monitor for suspicious use of commands such as cat, less, grep, or journalctl accessing /var/log/ files. Abnormal enumeration of authentication logs (auth.log, secure) or bulk access to multiple logs in short time windows should be flagged. |
||
| AN0707 |
Detect abnormal access to unified logs via log show or fs_usage targeting system log files. Monitor for execution of shell utilities (cat, grep) against /var/log/system.log and for plist modifications enabling verbose logging. |
||
| AN0708 |
Monitor for cloud API calls that export or collect guest or system logs. Abnormal use of Azure VM Agent’s CollectGuestLogs.exe or AWS CloudWatch GetLogEvents across multiple instances should be correlated with lateral movement or data staging. |
||
| AN0709 |
Monitor ESXi shell or API access to host logs under /var/log/. Abnormal enumeration of vmkernel.log, hostd.log, or vpxa.log by unauthorized accounts should be flagged. |