Detect Log Enumeration in Splunk
This detection identifies adversaries enumerating system and service logs to gather intelligence about the environment, including authentication records, security events, software inventory, and network hosts. The detection focuses on the use of native Windows utilities such as wevtutil.exe and PowerShell cmdlets (Get-EventLog, Get-WinEvent) to query or export Windows event logs, Azure VM Agent's CollectGuestLogs.exe for cloud-hosted log collection, and Linux tools like journalctl and ausearch for authentication log enumeration. Suspicious patterns include querying Security and System event logs outside of known administrative context, bulk exporting logs, and log enumeration activity originating from unusual parent processes indicative of post-exploitation. Real-world threat actors including Volt Typhoon, Ember Bear, and Aquatic Panda have used these techniques to identify authenticated sessions, map the environment, and monitor incident response activity in real time.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1654 Log Enumeration
- Canonical reference
- https://attack.mitre.org/techniques/T1654/
SPL Detection Query
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| search (
(Image="*\\wevtutil.exe" AND (CommandLine="*qe *" OR CommandLine="*epl *" OR CommandLine="*query-events*" OR CommandLine="*export-log*" OR CommandLine="*gl *" OR CommandLine="*qel *" OR CommandLine="*get-log*"))
OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*Get-EventLog*" OR CommandLine="*Get-WinEvent*" OR CommandLine="*[System.Diagnostics.EventLog]*"))
OR Image="*\\CollectGuestLogs.exe"
)
| eval log_target=case(
like(lower(CommandLine), "%security%"), "Security",
like(lower(CommandLine), "%system%"), "System",
like(lower(CommandLine), "%application%"), "Application",
like(lower(CommandLine), "%powershell%"), "PowerShell Operational",
true(), "Other"
)
| eval is_bulk_export=if(
match(CommandLine, "(?i)(epl|export-log|Out-File|Export-Csv|Set-Content|Tee-Object|>\\s*[A-Za-z])"),
"true", "false"
)
| eval suspicious_parent=if(
match(ParentImage, "(?i)(cmd\\.exe|wscript\\.exe|cscript\\.exe|mshta\\.exe|regsvr32\\.exe|rundll32\\.exe|msiexec\\.exe)"),
"true", "false"
)
| eval risk_score=case(
(is_bulk_export="true" AND log_target="Security"), 9,
(suspicious_parent="true"), 8,
(is_bulk_export="true"), 7,
(log_target="Security"), 6,
true(), 3
)
| where risk_score >= 3
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, log_target, is_bulk_export, suspicious_parent, risk_score
| sort - risk_scoreDetects log enumeration via Sysmon process creation (EventCode=1) for wevtutil.exe log query/export operations, PowerShell event log cmdlets, and CollectGuestLogs.exe. Enriches with log target classification, bulk export detection, and suspicious parent process flagging to reduce noise and prioritize high-risk alerts.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Log forwarder agents (Splunk UF, NXLog, Elastic Agent) will regularly generate wevtutil or PowerShell Get-WinEvent process creation events during normal log shipping
- Windows Event Log backup scripts run by scheduled tasks under SYSTEM or service accounts during maintenance windows
- Security monitoring and EDR products that use wevtutil or Windows Event Log API to collect telemetry from managed endpoints
- Azure Monitor and Log Analytics agents using CollectGuestLogs.exe on Azure VMs as part of VM diagnostic extension activity
- IT helpdesk staff running ad-hoc PowerShell sessions to retrieve event logs for user support or incident investigation
Other platforms for T1654
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Log Enumeration via wevtutil - Query and Export Security Logs
Expected signal: Sysmon Event ID 1 (process create) for wevtutil.exe with CommandLine containing 'qe Security' and 'epl Security'. Security Event ID 4688 if process auditing is enabled. DeviceFileEvents showing creation of .txt and .evtx files in TEMP directory.
- Test 2Windows Log Enumeration via PowerShell Get-WinEvent
Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Get-WinEvent' and 'Export-Csv'. PowerShell ScriptBlock Event ID 4104 showing full script content. DeviceFileEvents for CSV file creation in TEMP.
- Test 3Linux Authentication Log Enumeration
Expected signal: Linux auditd process execution events for journalctl, cat, ausearch, lastb. Syslog entries showing file reads against /var/log/auth.log. File creation events for /tmp/auth_enum.txt and /tmp/ssh_audit.json via auditd OPEN syscall records.
- Test 4Remote Log Enumeration via wevtutil with /remote flag
Expected signal: Sysmon Event ID 1 with wevtutil.exe CommandLine containing '/r:' flag and target hostname. Network connection from wevtutil.exe to target port 135/445 (RPC/SMB for remote EventLog access). Security Event ID 4648 (explicit credentials logon) on source if /u: flag is used.
References (7)
- https://attack.mitre.org/techniques/T1654/
- https://www.withsecure.com/content/dam/with-secure/en/resources/whitepapers/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf
- https://www.microsoft.com/en-us/security/blog/2023/04/06/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/
- https://permiso.io/blog/s/gui-vil-who-dis-guivil-group-cloud-threat-actor
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent
Unlock Pro Content
Get the full detection package for T1654 including response playbook, investigation guide, and atomic red team tests.