Potential AutoLogger Sessions Tampering

calendar Aug 12, 2024 · attack.defense-evasion  ·
Share on: linkedin copy

Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging

Sigma rule (View on GitHub)

 1title: Potential AutoLogger Sessions Tampering
 2id: f37b4bce-49d0-4087-9f5b-58bffda77316
 3status: test
 4description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging
 5references:
 6    - https://twitter.com/MichalKoczwara/status/1553634816016498688
 7    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
 8    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-08-01
11modified: 2023-08-17
12tags:
13    - attack.defense-evasion
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection_main:
19        TargetObject|contains: '\System\CurrentControlSet\Control\WMI\Autologger\'
20    selection_values:
21        TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
22            - '\EventLog-'
23            - '\Defender'
24        TargetObject|endswith:
25            - '\Enable'
26            - '\Start'
27        Details: DWORD (0x00000000)
28    filter_wevtutil:
29        Image: 'C:\Windows\system32\wevtutil.exe'
30    condition: all of selection_* and not 1 of filter_*
31falsepositives:
32    - Unknown
33level: high

References

  • x.com


    Read More

  • IcedID to XingLocker Ransomware in 24 hours

    Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May o…


    Read More

  • ´o b¡ó2jx¦@¬rOJiÜ—-„’F“»ST€À‘ňŒf�aÔ±n”nÃD…™ÑÛ(0)ˆ¶àS?‹œÑ>2Gn;$¬8ºÄì¨r¾´ÄC$›IÀ4ç�UÍ0E!­´ðˆ[“‘Bij7 .æ£!£8 Ùø 8¦$QË�ÍŠp™9NîÕ"ˆ {ØOr.שµº´¤‡ÆÚ—ÍŽÙ FËç�j'…bÛ�ùëTÙ‹šžd¶4Psw{...


    Read More

Related rules

to-top