Detect Log Enumeration in Google Chronicle
This detection identifies adversaries enumerating system and service logs to gather intelligence about the environment, including authentication records, security events, software inventory, and network hosts. The detection focuses on the use of native Windows utilities such as wevtutil.exe and PowerShell cmdlets (Get-EventLog, Get-WinEvent) to query or export Windows event logs, Azure VM Agent's CollectGuestLogs.exe for cloud-hosted log collection, and Linux tools like journalctl and ausearch for authentication log enumeration. Suspicious patterns include querying Security and System event logs outside of known administrative context, bulk exporting logs, and log enumeration activity originating from unusual parent processes indicative of post-exploitation. Real-world threat actors including Volt Typhoon, Ember Bear, and Aquatic Panda have used these techniques to identify authenticated sessions, map the environment, and monitor incident response activity in real time.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1654 Log Enumeration
- Canonical reference
- https://attack.mitre.org/techniques/T1654/
YARA-L Detection Query
rule detection_t1654 {
meta:
author = "Argus Detection Platform"
description = "Detects Log Enumeration - T1654"
severity = "HIGH"
mitre_attack = "T1654"
reference = "https://attack.mitre.org/techniques/T1654/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $hostname
$e.target.process.file.full_path = $process_path
$e.target.process.command_line = $cmdline
(
re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
(
re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
re.regex($e.target.process.command_line, `(?i)-bypass`) or
re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
re.regex($e.target.process.command_line, `(?i)http://`)
)
)
not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)
condition:
$e
}Google Chronicle YARA-L 2.0 rule for detecting Log Enumeration (T1654). Uses Chronicle UDM event model to identify log enumeration behaviors across endpoint and cloud telemetry.
Data Sources
Required Tables
False Positives & Tuning
- SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
- IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
- Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows
Other platforms for T1654
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Log Enumeration via wevtutil - Query and Export Security Logs
Expected signal: Sysmon Event ID 1 (process create) for wevtutil.exe with CommandLine containing 'qe Security' and 'epl Security'. Security Event ID 4688 if process auditing is enabled. DeviceFileEvents showing creation of .txt and .evtx files in TEMP directory.
- Test 2Windows Log Enumeration via PowerShell Get-WinEvent
Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Get-WinEvent' and 'Export-Csv'. PowerShell ScriptBlock Event ID 4104 showing full script content. DeviceFileEvents for CSV file creation in TEMP.
- Test 3Linux Authentication Log Enumeration
Expected signal: Linux auditd process execution events for journalctl, cat, ausearch, lastb. Syslog entries showing file reads against /var/log/auth.log. File creation events for /tmp/auth_enum.txt and /tmp/ssh_audit.json via auditd OPEN syscall records.
- Test 4Remote Log Enumeration via wevtutil with /remote flag
Expected signal: Sysmon Event ID 1 with wevtutil.exe CommandLine containing '/r:' flag and target hostname. Network connection from wevtutil.exe to target port 135/445 (RPC/SMB for remote EventLog access). Security Event ID 4648 (explicit credentials logon) on source if /u: flag is used.
References (7)
- https://attack.mitre.org/techniques/T1654/
- https://www.withsecure.com/content/dam/with-secure/en/resources/whitepapers/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf
- https://www.microsoft.com/en-us/security/blog/2023/04/06/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/
- https://permiso.io/blog/s/gui-vil-who-dis-guivil-group-cloud-threat-actor
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent
Unlock Pro Content
Get the full detection package for T1654 including response playbook, investigation guide, and atomic red team tests.