T1654: Log Enumeration
Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery).
Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or PowerShell on Windows to access and/or export security event information. In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.
Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mysql_database: PT-CR-618: MySQL_Audit_Table_Access: Attempt to view an audit table mitre_attck_discovery: PT-CR-1084: Remote_Log_Read: A remote user accessed Windows Event Log
Detection
| ID | DS0022 | Data source and component | File: File Access | Description | Monitor for access to system and service log files, especially from unexpected and abnormal users. |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor for the use of commands and arguments of utilities and other tools used to access and export logs. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for unexpected process activity associated with utilities that can access and export logs, such as |
|---|
Mitigation
| ID | M1018 | Name | User Account Management | Description | Limit the ability to access and export sensitive logs to privileged accounts where possible. |
|---|