Detect Log Enumeration in Microsoft Sentinel
This detection identifies adversaries enumerating system and service logs to gather intelligence about the environment, including authentication records, security events, software inventory, and network hosts. The detection focuses on the use of native Windows utilities such as wevtutil.exe and PowerShell cmdlets (Get-EventLog, Get-WinEvent) to query or export Windows event logs, Azure VM Agent's CollectGuestLogs.exe for cloud-hosted log collection, and Linux tools like journalctl and ausearch for authentication log enumeration. Suspicious patterns include querying Security and System event logs outside of known administrative context, bulk exporting logs, and log enumeration activity originating from unusual parent processes indicative of post-exploitation. Real-world threat actors including Volt Typhoon, Ember Bear, and Aquatic Panda have used these techniques to identify authenticated sessions, map the environment, and monitor incident response activity in real time.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1654 Log Enumeration
- Canonical reference
- https://attack.mitre.org/techniques/T1654/
KQL Detection Query
let TimeWindow = 1d;
let SuspiciousParents = dynamic(["cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(TimeWindow)
| where (
// wevtutil log enumeration and export
(FileName =~ "wevtutil.exe" and ProcessCommandLine has_any ("qe ", "epl ", "query-events", "export-log", "gl ", "qel ", "get-log"))
// PowerShell native log cmdlets
or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-EventLog", "Get-WinEvent", "Get-WinEvent", "[System.Diagnostics.EventLog]"))
// Azure VM Guest log collection
or FileName =~ "CollectGuestLogs.exe"
)
| extend
LogTarget = case(
ProcessCommandLine has_any ("security", "Security"), "Security",
ProcessCommandLine has_any ("system", "System"), "System",
ProcessCommandLine has_any ("application", "Application"), "Application",
ProcessCommandLine has_any ("powershell", "PowerShell"), "PowerShell Operational",
ProcessCommandLine has "ForwardedEvents", "Forwarded Events",
"Other"
),
IsBulkExport = iff(
ProcessCommandLine has_any ("epl", "export-log", "Out-File", "Export-Csv", "Set-Content", " > ", "Tee-Object"),
true, false
),
SuspiciousParent = iff(
InitiatingProcessFileName in~ (SuspiciousParents),
true, false
),
RiskScore = case(
ProcessCommandLine has_any ("epl", "export-log", "Out-File") and ProcessCommandLine has "security", 9,
ProcessCommandLine has_any ("epl", "export-log", "Out-File"), 7,
InitiatingProcessFileName in~ (SuspiciousParents), 8,
ProcessCommandLine has "security", 6,
true, 3
)
| where RiskScore >= 3
| project
TimeGenerated,
DeviceName,
AccountName,
AccountDomain,
FileName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
LogTarget,
IsBulkExport,
SuspiciousParent,
RiskScore
| order by RiskScore desc, TimeGenerated descDetects log enumeration activity using wevtutil.exe (query/export operations), PowerShell cmdlets (Get-EventLog, Get-WinEvent), and Azure CollectGuestLogs.exe. Scores results by risk level based on whether Security logs are targeted, whether logs are being bulk-exported, and whether the parent process is suspicious (script interpreters, LOLBins). Aligns with Volt Typhoon and Ember Bear TTPs.
Data Sources
Required Tables
False Positives & Tuning
- SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
- IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
- Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows
- Azure Monitor Agent and Microsoft Monitoring Agent (MMA/AMA) using CollectGuestLogs.exe on cloud-hosted VMs as part of normal diagnostics
- Vulnerability scanners and configuration management tools (e.g., Nessus, Qualys, SCCM) that enumerate event log state to assess system health
Other platforms for T1654
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Log Enumeration via wevtutil - Query and Export Security Logs
Expected signal: Sysmon Event ID 1 (process create) for wevtutil.exe with CommandLine containing 'qe Security' and 'epl Security'. Security Event ID 4688 if process auditing is enabled. DeviceFileEvents showing creation of .txt and .evtx files in TEMP directory.
- Test 2Windows Log Enumeration via PowerShell Get-WinEvent
Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Get-WinEvent' and 'Export-Csv'. PowerShell ScriptBlock Event ID 4104 showing full script content. DeviceFileEvents for CSV file creation in TEMP.
- Test 3Linux Authentication Log Enumeration
Expected signal: Linux auditd process execution events for journalctl, cat, ausearch, lastb. Syslog entries showing file reads against /var/log/auth.log. File creation events for /tmp/auth_enum.txt and /tmp/ssh_audit.json via auditd OPEN syscall records.
- Test 4Remote Log Enumeration via wevtutil with /remote flag
Expected signal: Sysmon Event ID 1 with wevtutil.exe CommandLine containing '/r:' flag and target hostname. Network connection from wevtutil.exe to target port 135/445 (RPC/SMB for remote EventLog access). Security Event ID 4648 (explicit credentials logon) on source if /u: flag is used.
References (7)
- https://attack.mitre.org/techniques/T1654/
- https://www.withsecure.com/content/dam/with-secure/en/resources/whitepapers/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf
- https://www.microsoft.com/en-us/security/blog/2023/04/06/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/
- https://permiso.io/blog/s/gui-vil-who-dis-guivil-group-cloud-threat-actor
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent
Unlock Pro Content
Get the full detection package for T1654 including response playbook, investigation guide, and atomic red team tests.