T1654 Elastic Security · Elastic

Detect Log Enumeration in Elastic Security

This detection identifies adversaries enumerating system and service logs to gather intelligence about the environment, including authentication records, security events, software inventory, and network hosts. The detection focuses on the use of native Windows utilities such as wevtutil.exe and PowerShell cmdlets (Get-EventLog, Get-WinEvent) to query or export Windows event logs, Azure VM Agent's CollectGuestLogs.exe for cloud-hosted log collection, and Linux tools like journalctl and ausearch for authentication log enumeration. Suspicious patterns include querying Security and System event logs outside of known administrative context, bulk exporting logs, and log enumeration activity originating from unusual parent processes indicative of post-exploitation. Real-world threat actors including Volt Typhoon, Ember Bear, and Aquatic Panda have used these techniques to identify authenticated sessions, map the environment, and monitor incident response activity in real time.

MITRE ATT&CK

Tactic
Discovery
Technique
T1654 Log Enumeration
Canonical reference
https://attack.mitre.org/techniques/T1654/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1654*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true
medium severity medium confidence

Elastic EQL detection for Log Enumeration (T1654). Identifies log enumeration activity by correlating endpoint telemetry patterns consistent with known adversary techniques.

Data Sources

Elastic Endpoint SecurityElastic Agent

Required Tables

logs-endpoint.events.process-*logs-system.security-*

False Positives & Tuning

  • SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
  • IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
  • Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows
Download portable Sigma rule (.yml)

Other platforms for T1654

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Log Enumeration via wevtutil - Query and Export Security Logs

    Expected signal: Sysmon Event ID 1 (process create) for wevtutil.exe with CommandLine containing 'qe Security' and 'epl Security'. Security Event ID 4688 if process auditing is enabled. DeviceFileEvents showing creation of .txt and .evtx files in TEMP directory.

  2. Test 2Windows Log Enumeration via PowerShell Get-WinEvent

    Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Get-WinEvent' and 'Export-Csv'. PowerShell ScriptBlock Event ID 4104 showing full script content. DeviceFileEvents for CSV file creation in TEMP.

  3. Test 3Linux Authentication Log Enumeration

    Expected signal: Linux auditd process execution events for journalctl, cat, ausearch, lastb. Syslog entries showing file reads against /var/log/auth.log. File creation events for /tmp/auth_enum.txt and /tmp/ssh_audit.json via auditd OPEN syscall records.

  4. Test 4Remote Log Enumeration via wevtutil with /remote flag

    Expected signal: Sysmon Event ID 1 with wevtutil.exe CommandLine containing '/r:' flag and target hostname. Network connection from wevtutil.exe to target port 135/445 (RPC/SMB for remote EventLog access). Security Event ID 4648 (explicit credentials logon) on source if /u: flag is used.

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1654 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1087Account DiscoveryT1070.001Clear Windows Event LogsT1033System Owner/User DiscoveryT1018Remote System DiscoveryT1059.001PowerShellT1069Permission Groups DiscoveryT1048Exfiltration Over Alternative ProtocolT1016System Network Configuration Discovery

Same Tactic: Discovery

Popular Detections