Disabling Windows Defender WMI Autologger Session via Reg.exe

calendar Apr 28, 2026 · attack.defense-impairment attack.t1685  ·
Share on: linkedin copy

Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.

Sigma rule (View on GitHub)

 1title: Disabling Windows Defender WMI Autologger Session via Reg.exe
 2id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
 3related:
 4    - id: f37b4bce-49d0-4087-9f5b-58bffda77316
 5      type: similar
 6status: experimental
 7description: |
 8    Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
 9    By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
10    from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.    
11references:
12    - https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
13    - https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
14    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
15    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
16    - https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
17author: Matt Anderson (Huntress)
18date: 2025-07-09
19tags:
20    - attack.defense-impairment
21    - attack.t1685
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        - Image|endswith: '\reg.exe'
28        - OriginalFileName: 'reg.exe'
29    selection_reg_path:
30        CommandLine|contains:
31            - '\Control\WMI\Autologger\DefenderApiLogger\Start'
32            - '\Control\WMI\Autologger\DefenderAuditLogger\Start'
33    selection_reg_add:
34        CommandLine|contains|all:
35            - 'add'
36            - '0'
37    filter_main_enable:
38        CommandLine|contains: '0x00000001'
39    condition: all of selection_* and not 1 of filter_main_*
40falsepositives:
41    - Highly unlikely
42level: high

References

Related rules

to-top