Skip to content

T1654 Log Enumeration

Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery).

Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or PowerShell on Windows to access and/or export security event information.43 In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.2

Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.

In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.1

Item Value
ID T1654
Sub-techniques
Tactics TA0007
Platforms ESXi, IaaS, Linux, Windows, macOS
Version 1.2
Created 10 July 2023
Last Modified 15 April 2025

Procedure Examples

ID Name Description
S1194 Akira _v2 Akira _v2 can enumerate the trace, debug, error, info, and warning logs on targeted systems.87
G1023 APT5 APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.10
G0143 Aquatic Panda Aquatic Panda enumerated logs related to authentication in Linux environments prior to deleting selective entries for defense evasion purposes.14
S1246 BeaverTail BeaverTail has identified .ldb and .log files stored in browser extension directories for collection and exfiltration.6
S1159 DUSTTRAP DUSTTRAP can identify infected system log information.9
G1003 Ember Bear Ember Bear has enumerated SECURITY and SYSTEM log files during intrusions.11
S1191 Megazord Megazord has the ability to print the trace, debug, error, info, and warning logs.7
G0129 Mustang Panda Mustang Panda has used Wevtutil to gather Windows Security Event Logs.15
S1091 Pacu Pacu can collect CloudTrail event histories and CloudWatch logs.5
G1017 Volt Typhoon Volt Typhoon has used wevtutil.exe and the PowerShell command Get-EventLog security to enumerate Windows logs to search for successful logons.1312

Mitigations

ID Mitigation Description
M1018 User Account Management Limit the ability to access and export sensitive logs to privileged accounts where possible.

References

  1. Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor. Retrieved August 30, 2024. 

  2. Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023. 

  3. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. 

  4. Ruohonen, S. & Robinson, S. (2023, February 2). No Pineapple! -DPRK Targeting of Medical Research and Technology Sector. Retrieved July 10, 2023. 

  5. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019. 

  6. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  7. Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025. 

  8. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024. 

  9. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. 

  10. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. 

  11. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. 

  12. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  13. NSA et al. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. 

  14. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024. 

  15. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.