Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Sigma rule (View on GitHub)
1title: Disabling Windows Defender WMI Autologger Session via Reg.exe
2id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
3related:
4 - id: f37b4bce-49d0-4087-9f5b-58bffda77316
5 type: similar
6status: experimental
7description: |
8 Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
9 By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
10 from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
11references:
12 - https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
13 - https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
14 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
15 - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
16 - https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
17author: Matt Anderson (Huntress)
18date: 2025-07-09
19tags:
20 - attack.defense-evasion
21 - attack.t1562.001
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 - Image|endswith: '\reg.exe'
28 - OriginalFileName: 'reg.exe'
29 selection_reg_path:
30 CommandLine|contains:
31 - '\Control\WMI\Autologger\DefenderApiLogger\Start'
32 - '\Control\WMI\Autologger\DefenderAuditLogger\Start'
33 selection_reg_add:
34 CommandLine|contains|all:
35 - 'add'
36 - '0'
37 filter_main_enable:
38 CommandLine|contains: '0x00000001'
39 condition: all of selection_* and not 1 of filter_main_*
40falsepositives:
41 - Highly unlikely
42level: high
References
-
The AutoLogger event tracing session records events that occur early in the operating system boot process.
Read More -
Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May o…
Read More -
Enhance firmware security with insights on modern EDR design flaws bypassing ETW-based solutions. Learn more from BINARLY experts at Black Hat Europe 2021.
Read More
Related rules
- PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
- Windows Defender Context Menu Removed
- Windows Defender Threat Severity Default Action Modified
- Antivirus Filter Driver Disallowed On Dev Drive - Registry
- Disable ASLR Via Personality Syscall - Linux