T1654 Log Enumeration Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let TimeWindow = 1d;
let SuspiciousParents = dynamic(["cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(TimeWindow)
| where (
    // wevtutil log enumeration and export
    (FileName =~ "wevtutil.exe" and ProcessCommandLine has_any ("qe ", "epl ", "query-events", "export-log", "gl ", "qel ", "get-log"))
    // PowerShell native log cmdlets
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-EventLog", "Get-WinEvent", "Get-WinEvent", "[System.Diagnostics.EventLog]"))
    // Azure VM Guest log collection
    or FileName =~ "CollectGuestLogs.exe"
)
| extend
    LogTarget = case(
        ProcessCommandLine has_any ("security", "Security"), "Security",
        ProcessCommandLine has_any ("system", "System"), "System",
        ProcessCommandLine has_any ("application", "Application"), "Application",
        ProcessCommandLine has_any ("powershell", "PowerShell"), "PowerShell Operational",
        ProcessCommandLine has "ForwardedEvents", "Forwarded Events",
        "Other"
    ),
    IsBulkExport = iff(
        ProcessCommandLine has_any ("epl", "export-log", "Out-File", "Export-Csv", "Set-Content", " > ", "Tee-Object"),
        true, false
    ),
    SuspiciousParent = iff(
        InitiatingProcessFileName in~ (SuspiciousParents),
        true, false
    ),
    RiskScore = case(
        ProcessCommandLine has_any ("epl", "export-log", "Out-File") and ProcessCommandLine has "security", 9,
        ProcessCommandLine has_any ("epl", "export-log", "Out-File"), 7,
        InitiatingProcessFileName in~ (SuspiciousParents), 8,
        ProcessCommandLine has "security", 6,
        true, 3
    )
| where RiskScore >= 3
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    LogTarget,
    IsBulkExport,
    SuspiciousParent,
    RiskScore
| order by RiskScore desc, TimeGenerated desc

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows
Azure Monitor Agent and Microsoft Monitoring Agent (MMA/AMA) using CollectGuestLogs.exe on cloud-hosted VMs as part of normal diagnostics
Vulnerability scanners and configuration management tools (e.g., Nessus, Qualys, SCCM) that enumerate event log state to assess system health

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| search (
    (Image="*\\wevtutil.exe" AND (CommandLine="*qe *" OR CommandLine="*epl *" OR CommandLine="*query-events*" OR CommandLine="*export-log*" OR CommandLine="*gl *" OR CommandLine="*qel *" OR CommandLine="*get-log*"))
    OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*Get-EventLog*" OR CommandLine="*Get-WinEvent*" OR CommandLine="*[System.Diagnostics.EventLog]*"))
    OR Image="*\\CollectGuestLogs.exe"
  )
| eval log_target=case(
    like(lower(CommandLine), "%security%"), "Security",
    like(lower(CommandLine), "%system%"), "System",
    like(lower(CommandLine), "%application%"), "Application",
    like(lower(CommandLine), "%powershell%"), "PowerShell Operational",
    true(), "Other"
  )
| eval is_bulk_export=if(
    match(CommandLine, "(?i)(epl|export-log|Out-File|Export-Csv|Set-Content|Tee-Object|>\\s*[A-Za-z])"),
    "true", "false"
  )
| eval suspicious_parent=if(
    match(ParentImage, "(?i)(cmd\\.exe|wscript\\.exe|cscript\\.exe|mshta\\.exe|regsvr32\\.exe|rundll32\\.exe|msiexec\\.exe)"),
    "true", "false"
  )
| eval risk_score=case(
    (is_bulk_export="true" AND log_target="Security"), 9,
    (suspicious_parent="true"), 8,
    (is_bulk_export="true"), 7,
    (log_target="Security"), 6,
    true(), 3
  )
| where risk_score >= 3
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, log_target, is_bulk_export, suspicious_parent, risk_score
| sort - risk_score

medium severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Log forwarder agents (Splunk UF, NXLog, Elastic Agent) will regularly generate wevtutil or PowerShell Get-WinEvent process creation events during normal log shipping
Windows Event Log backup scripts run by scheduled tasks under SYSTEM or service accounts during maintenance windows
Security monitoring and EDR products that use wevtutil or Windows Event Log API to collect telemetry from managed endpoints
Azure Monitor and Log Analytics agents using CollectGuestLogs.exe on Azure VMs as part of VM diagnostic extension activity
IT helpdesk staff running ad-hoc PowerShell sessions to retrieve event logs for user support or incident investigation

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1654*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows

Google Chronicle / SecOps

yaral

rule detection_t1654 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Log Enumeration - T1654"
    severity = "HIGH"
    mitre_attack = "T1654"
    reference = "https://attack.mitre.org/techniques/T1654/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

medium severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows

Log Enumeration

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections