Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery).
Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or PowerShell on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1654 | Log Enumeration |
Comments
This diagnostic statement protects against Log Enumeration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-02 | Account Management | mitigates | T1654 | Log Enumeration | |
| AC-04 | Information Flow Enforcement | mitigates | T1654 | Log Enumeration | |
| AC-03 | Access Enforcement | mitigates | T1654 | Log Enumeration | |
| AC-06 | Least Privilege | mitigates | T1654 | Log Enumeration |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1654 | Log Enumeration | |
| action.hacking.variety.Profile host | Enumerating the state of the current host | related-to | T1654 | Log Enumeration |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1654 | Log Enumeration |
Comments
This capability can detect if commands associated with log enumeration (such as wevutil.exe on Windows and CollectGuestLogs.exe on Azure hosted VMs) are executed.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1654 | Log Enumeration |
Comments
Google Security Operations is able to trigger alerts based off use of utilities used to enumerate logs (like wevutil.exe).
References
|
| identity_and_access_management | Identity and Access Management | technique_scores | T1654 | Log Enumeration |
Comments
IAM can be configured to minimize permissions to users and prevent unnecessary access to logs.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_cloudwatch | AWS CloudWatch | technique_scores | T1654 | Log Enumeration |
Comments
CloudWatch can be configured to alarm for monitoring the "aws-collect-system-logs" command which could detect this technique. However, this command is often used for diagnostics and may lead to false positives.
References
|