Potential AutoLogger Sessions Tampering

Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging

Sigma rule (View on GitHub)

 1title: Potential AutoLogger Sessions Tampering
 2id: f37b4bce-49d0-4087-9f5b-58bffda77316
 3status: test
 4description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging
 5references:
 6    - https://twitter.com/MichalKoczwara/status/1553634816016498688
 7    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
 8    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/08/01
11modified: 2023/08/17
12tags:
13    - attack.defense_evasion
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection_main:
19        TargetObject|contains: '\System\CurrentControlSet\Control\WMI\Autologger\'
20    selection_values:
21        TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
22            - '\EventLog-'
23            - '\Defender'
24        TargetObject|endswith:
25            - '\Enable'
26            - '\Start'
27        Details: DWORD (0x00000000)
28    filter_wevtutil:
29        Image: 'C:\Windows\system32\wevtutil.exe'
30    condition: all of selection_* and not 1 of filter_*
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top