Windows EventLog Autologger Session Registry Modification Via CommandLine

calendar Apr 28, 2026 · attack.defense-impairment attack.t1685.001  ·
Share on: linkedin copy

Detects attempts to disable Windows EventLog autologger sessions via registry modification. The AutoLogger event tracing session records events that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.

Sigma rule (View on GitHub)

 1title: Windows EventLog Autologger Session Registry Modification Via CommandLine
 2id: d7b81144-b866-48a4-9bcc-275dc69d870e
 3related:
 4    - id: f37b4bce-49d0-4087-9f5b-58bffda77316
 5      type: similar
 6status: experimental
 7description: |
 8    Detects attempts to disable Windows EventLog autologger sessions via registry modification.
 9    The AutoLogger event tracing session records events that occur early in the operating system boot process.
10    Applications and device drivers can use the AutoLogger session to capture traces before the user logs in.
11    Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.    
12references:
13    - https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
14    - https://ptylu.github.io/content/report/report.html?report=25
15    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-12-25
18tags:
19    - attack.defense-impairment
20    - attack.t1685.001
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith:
27              - '\reg.exe'
28              - '\powershell.exe'
29              - '\pwsh.exe'
30        - OriginalFileName:
31              - 'reg.exe'
32              - 'PowerShell.EXE'
33              - 'pwsh.dll'
34    selection_cli_action:
35        CommandLine|contains:
36            - 'add '
37            - 'Set-ItemProperty'
38            - 'New-ItemProperty'
39            - 'si ' # Set-ItemProperty alias
40    selection_cli_base:
41        CommandLine|contains: '\Control\WMI\Autologger\'
42    selection_cli_key:
43        CommandLine|contains:
44            - 'Start' # Key used to disable specific autologger session like EventLog-Application, EventLog-System etc.
45            - 'Enabled' # Key used to disable specific provider of autologger session
46    condition: all of selection_*
47falsepositives:
48    - Unknown
49level: high
50regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification/info.yml
51simulation:
52    - type: atomic-red-team
53      name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
54      technique: T1562.001
55      atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
56    - type: atomic-red-team
57      name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
58      technique: T1562.001
59      atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
60    - type: atomic-red-team
61      name: Disable EventLog-Application ETW Provider Via Registry - Cmd
62      technique: T1562.001
63      atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
64    - type: atomic-red-team
65      name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
66      technique: T1562.001
67      atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0

References

Related rules

to-top