Description
Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery).
Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or PowerShell on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
Platforms
Mitigations (1)
User Account ManagementM1018
Limit the ability to access and export sensitive logs to privileged accounts where possible.
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.(Citation... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has enumerated SECURITY and SYSTEM log files during intrusions.(Citation: CISA GRU29155 2024) |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used `wevtutil.exe` and the PowerShell command `Get-EventLog security` to enumerate Windows ... |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) enumerated logs related to authentication in Linux environments prior to deleting selective ent... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used [Wevtutil](https://attack.mitre.org/software/S0645) to gather Windows Security Event L... |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has identified .ldb and .log files stored in browser extension directories for collection and ex... |
| S1091 | Pacu | Tool | [Pacu](https://attack.mitre.org/software/S1091) can collect CloudTrail event histories and CloudWatch logs.(Citation: GitHub Pacu) |
| S1191 | Megazord | Malware | [Megazord](https://attack.mitre.org/software/S1191) has the ability to print the trace, debug, error, info, and warning logs.(Citation: Palo Alto Howl... |
| S1194 | Akira _v2 | Malware | [Akira _v2](https://attack.mitre.org/software/S1194) can enumerate the trace, debug, error, info, and warning logs on targeted systems.(Citation: Cisc... |
| S1159 | DUSTTRAP | Malware | [DUSTTRAP](https://attack.mitre.org/software/S1159) can identify infected system log information.(Citation: Google Cloud APT41 2024) |
References
- Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor. Retrieved August 30, 2024.
- Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023.
- Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
- Ruohonen, S. & Robinson, S. (2023, February 2). No Pineapple! -DPRK Targeting of Medical Research and Technology Sector. Retrieved July 10, 2023.
Frequently Asked Questions
What is T1654 (Log Enumeration)?
T1654 is a MITRE ATT&CK technique named 'Log Enumeration'. It belongs to the Discovery tactic(s). Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Disco...
How can T1654 be detected?
Detection of T1654 (Log Enumeration) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1654?
There are 1 documented mitigations for T1654. Key mitigations include: User Account Management.
Which threat groups use T1654?
Known threat groups using T1654 include: APT5, Ember Bear, Volt Typhoon, Aquatic Panda, Mustang Panda.