T1654: Log Enumeration

Log Enumeration matters because an intruder who can read host, cloud, or centralized logs can learn how the environment works, where accounts and systems are, what security tools are present, and how responders are reacting. This is a discovery behavior, but it can materially affect incident containment because logs may help adversaries adjust activity to avoid defenses or maintain access.

Executive priority

Treat access to logs as access to sensitive operational intelligence. Leaders should ask whether log repositories, SIEM access, cloud guest logs, Windows event logs, Linux/macOS logs, and ESXi-related logs are governed with least privilege and monitored for unusual export or access. The business risk is not only data exposure; it is that incident response, identity activity, vulnerability clues, and system inventory information may be exposed to an adversary during an intrusion.

Technical view

For SOC, detection engineering, and IR teams, validate visibility across ESXi, IaaS, Linux, macOS, and Windows for abnormal log access, log export, and centralized logging queries. ATT&CK notes use of host binaries such as wevtutil.exe and PowerShell on Windows, cloud utilities such as Azure VM Agent CollectGuestLogs.exe, and possible targeting of SIEM or centralized logging infrastructure. Because MITRE provides no official detection text for this technique, detections should be built around local baselines for who normally reads, exports, searches, or bulk downloads logs and from where.

Likely telemetry

Windows event log access and export activity, including command-line telemetry for wevtutil.exe and PowerShell
Process creation and command-line telemetry on Windows, Linux, macOS, and ESXi where available
Cloud infrastructure audit logs for guest log collection, VM agent activity, and administrative access to log artifacts
SIEM and centralized logging platform audit logs, including search, export, bulk download, and privilege changes
Identity and access logs showing users, service accounts, roles, and sessions used to access logs

Detection direction

Validate DET0255, Detection Strategy for Log Enumeration, against local platforms and logging architecture rather than assuming coverage from ATT&CK alone.
Alert on unusual log export, bulk download, high-volume SIEM queries, or access to security/authentication logs by accounts that do not normally perform those actions.
Correlate log enumeration with related discovery context identified by ATT&CK: account discovery, software discovery, and remote system discovery.
Tune carefully for administrators, incident responders, backup jobs, compliance exports, and monitoring tools, which may legitimately access or export logs.
Prioritize monitoring of centralized logging infrastructure because access there can reveal broad environment and incident response visibility from one location.

Mitigation priorities

Apply User Account Management principles, especially least privilege, to log access across hosts, cloud infrastructure, and centralized logging systems.
Restrict SIEM and log repository permissions to roles with a defined operational need, and separate routine monitoring access from administrative/export privileges.
Review service accounts and cloud roles that can collect or export guest, security, authentication, or infrastructure logs.
Maintain audit logging for the logging systems themselves so access, search, export, and privilege changes are reviewable during investigations.
Include log-access review in incident response playbooks, especially when containment actions or responder activity may be visible to an intruder.

Analyst notes and limits

This technique has relationship context to multiple groups and software, including Mustang Panda, Aquatic Panda, Ember Bear, Volt Typhoon, APT5, Pacu, DUSTTRAP, Megazord, Akira _v2, and BeaverTail. These relationships support the defensive priority of monitoring log access across enterprise, cloud, and ESXi-related environments, but they should not be treated as proof of activity in any specific organization.

MITRE does not provide official detection guidance for T1654 in the supplied fields. Specific analytics, thresholds, and false-positive handling require local knowledge of administrative workflows, SIEM usage, cloud logging design, endpoint telemetry, and incident response procedures.

Official MITRE ATT&CK definition

Log Enumeration

Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery).

Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or PowerShell on Windows to access and/or export security event information.[1][2] In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.[3]

Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.

In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.[4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

G1023: APT5

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]

G1003: Ember Bear

Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]

G1017: Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]

G0143: Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

S1246: BeaverTail

BeaverTail is a malware that has both a JavaScript and C++ variant. Active since 2022, BeaverTail is capable of stealing logins from browsers and serves as a downloader for second stage payloads. BeaverTail has previously been leveraged by North Korea-affiliated actors identified as DeceptiveDevelopment or Contagious Interview. BeaverTail has been delivered to victims through code repository sites and has been embedded within malicious attachments.[1][2][3][4]

LinuxmacOSWindows

S1091: Pacu

Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]

IaaS

S1191: Megazord

Megazord is a Rust-based variant of Akira ransomware that has been in use since at least August 2023 to target Windows environments. Megazord has been attributed to the Akira group based on overlapping infrastructure though is possibly not exclusive to the group.[1][2][3]

Windows

S1194: Akira _v2

Akira _v2 is a Rust-based variant of Akira ransomware that has been in use since at least 2024. Akira _v2 is designed to target VMware ESXi servers and includes a new command-line argument set and other expanded capabilities.[1][2][3]

S1159: DUSTTRAP

DUSTTRAP is a multi-stage plugin framework associated with APT41 operations with multiple components.[1]

Windows

Relationship explorer

All related ATT&CK context

Mitigations

Mitigation direction

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Jul 10, 2023, 16:50 UTC (UTC+00:00)
Modified: Apr 15, 2025, 19:58 UTC (UTC+00:00)
Raw hash: 02fc10ae91a0b5f8...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Apr 15, 2025, 19:58 UTC (UTC+00:00)	Current bundle	`02fc10ae91a0…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
WithSecure Lazarus-NoPineapple Threat Intel Report 2023

Ruohonen, S. & Robinson, S. (2023, February 2). No Pineapple! -DPRK Targeting of Medical Research and Technology Sector. Retrieved July 10, 2023.
Open source URL
[2]
Cadet Blizzard emerges as novel threat actor

Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
Open source URL
[3]
SIM Swapping and Abuse of the Microsoft Azure Serial Console

Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023.
Open source URL
[4]
Permiso GUI-Vil 2023

Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor. Retrieved August 30, 2024.
Open source URL
[5]
mitre-attack T1654
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams