What your saying is that these machines don't log at the operating system level, in the fashion of a tracelog, but count on bad actors to use COTS implementations of those system level calls, and log the high level events?

Its a good thing that there isn't much overlap between people who understand penetration strategies and people who can write their own software.