Log Enumeration

Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery).

Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or PowerShell on Windows to access and/or export security event information.[1][2] In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.[3]

Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.

ID: T1654
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: IaaS, Linux, Windows, macOS
Contributors: Bilal Bahadır Yenici
Version: 1.0
Created: 10 July 2023
Last Modified: 30 September 2023

Procedure Examples

ID Name Description
G1023 APT5

APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.[4]

S1091 Pacu

Pacu can collect CloudTrail event histories and CloudWatch logs.[5]

G1017 Volt Typhoon

Volt Typhoon has used wevtutil.exe and the PowerShell command Get-EventLog security to enumerate Windows logs to search for successful logons.[6]


ID Mitigation Description
M1018 User Account Management

Limit the ability to access and export sensitive logs to privileged accounts where possible.


ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor for the use of commands and arguments of utilities and other tools used to access and export logs.

DS0022 File File Access

Monitor for access to system and service log files, especially from unexpected and abnormal users.

DS0009 Process Process Creation

Monitor for unexpected process activity associated with utilities that can access and export logs, such as wevutil.exe on Windows and CollectGuestLogs.exe on Azure hosted VMs.