T1654 - Log Enumeration

Description from ATT&CK (opens in a new tab)

Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery (opens in a new tab)), security or vulnerable software (Software Discovery (opens in a new tab)), or hosts within a compromised network (Remote System Discovery (opens in a new tab)).

Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or PowerShell (opens in a new tab) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)

Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.

In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)

Atomic Tests

Atomic Test #1 - Get-EventLog To Enumerate Windows Security Log

Uses the built-in PowerShell commandlet Get-EventLog to search for 'SYSTEM' keyword and saves results to a text file.

This technique was observed in a TheDFIRReport case (opens in a new tab) where the threat actor enumerated the Windows Security audit log to determine user accounts and associated IPv4 addresses.

Successful execution will save matching log events to the users temp folder.

Supported Platforms: Windows

auto_generated_guid: a9030b20-dd4b-4405-875e-3462c6078fdc

Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

powershell -c {get-eventlog 'Security' | where {$_.Message -like '*SYSTEM*'} | export-csv $env:temp\T1654_events.txt}

Cleanup Commands:

powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"

Atomic Test #2 - Enumerate Windows Security Log via WevtUtil

WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure.

By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System as well as any custom logs created by administrators.

This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration

Supported Platforms: Windows

auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd

Attack Commands: Run with `command_prompt`!

wevtutil enum-logs

T1652