T1654 - Log Enumeration

Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery).

Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or PowerShell on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)

Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.

Atomic Tests

Atomic Test #1 - Get-EventLog To Enumerate Windows Security LogUses the built-in PowerShell commandlet Get-EventLog to search for ‘SYSTEM’ keyword and saves results to a text file.

This technique was observed in a TheDFIRReport case where the threat actor enumerated the Windows Security audit log to determine user accounts and associated IPv4 addresses.

Successful execution will save matching log events to the users temp folder.Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell

powershell -c "get-eventlog 'Security' | where {$_.Message -like '*SYSTEM*'} | export-csv $env:temp\T1654_events.txt"```

Invoke-AtomicTest T1654 -TestNumbers 1

Cleanup:

powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"```

Invoke-AtomicTest T1654 -TestNumbers 1 -Cleanup