title: Log Enumeration (T1654)
id: df00tech-t1654
status: experimental
description: "This detection identifies adversaries enumerating system and service logs to gather intelligence about the environment, including authentication records, security events, software inventory, and network hosts. The detection focuses on the use of native Windows utilities such as wevtutil.exe and PowerShell cmdlets (Get-EventLog, Get-WinEvent) to query or export Windows event logs, Azure VM Agent's CollectGuestLogs.exe for cloud-hosted log collection, and Linux tools like journalctl and ausearch for authentication log enumeration. Suspicious patterns include querying Security and System event logs outside of known administrative context, bulk exporting logs, and log enumeration activity originating from unusual parent processes indicative of post-exploitation. Real-world threat actors including Volt Typhoon, Ember Bear, and Aquatic Panda have used these techniques to identify authenticated sessions, map the environment, and monitor incident response activity in real time."
references:
  - https://attack.mitre.org/techniques/T1654/
  - https://df00tech.com/detections/T1654
author: df00tech
date: 2026/03/20
tags:
  - attack.t1654
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents"
  - "IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival"
  - "Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows"
  - Azure Monitor Agent and Microsoft Monitoring Agent (MMA/AMA) using CollectGuestLogs.exe on cloud-hosted VMs as part of normal diagnostics
  - "Vulnerability scanners and configuration management tools (e.g., Nessus, Qualys, SCCM) that enumerate event log state to assess system health"
level: medium