Potential AutoLogger Sessions Tampering
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging. The AutoLogger event tracing session records events up that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
Sigma rule (View on GitHub)
1title: Potential AutoLogger Sessions Tampering
2id: f37b4bce-49d0-4087-9f5b-58bffda77316
3related:
4 - id: d7b81144-b866-48a4-9bcc-275dc69d870e
5 type: similar
6status: test
7description: |
8 Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.
9 The AutoLogger event tracing session records events up that occur early in the operating system boot process.
10 Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.
11 Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
12references:
13 - https://twitter.com/MichalKoczwara/status/1553634816016498688
14 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
15 - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
16 - https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
17 - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
18author: Nasreddine Bencherchali (Nextron Systems)
19date: 2022-08-01
20modified: 2025-12-26
21tags:
22 - attack.defense-impairment
23 - attack.t1685.001
24logsource:
25 category: registry_set
26 product: windows
27detection:
28 selection_main:
29 TargetObject|contains: '\Control\WMI\Autologger\'
30 selection_values:
31 TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
32 - '\EventLog-'
33 - '\Defender'
34 TargetObject|endswith:
35 - '\Enabled'
36 - '\Start'
37 Details: DWORD (0x00000000)
38 filter_main_wevtutil:
39 Image: 'C:\Windows\system32\wevtutil.exe'
40 filter_main_defender:
41 Image|startswith:
42 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
43 - 'C:\Program Files\Windows Defender\'
44 - 'C:\Program Files (x86)\Windows Defender\'
45 Image|endswith: '\MsMpEng.exe'
46 TargetObject|contains:
47 - '\DefenderApiLogger\'
48 - '\DefenderAuditLogger\'
49 condition: all of selection_* and not 1 of filter_main_*
50falsepositives:
51 - Unknown
52level: high
53regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions/info.yml
54simulation:
55 - type: atomic-red-team
56 name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
57 technique: T1562.001
58 atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
59 - type: atomic-red-team
60 name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
61 technique: T1562.001
62 atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
63 - type: atomic-red-team
64 name: Disable EventLog-Application ETW Provider Via Registry - Cmd
65 technique: T1562.001
66 atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
67 - type: atomic-red-team
68 name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
69 technique: T1562.001
70 atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
References
Related rules
- Audit Policy Tampering Via Auditpol
- Audit Policy Tampering Via NT Resource Kit Auditpol
- Change Winevt Channel Access Permission Via Registry
- Disable Security Events Logging Adding Reg Key MiniNt
- Disable Windows Event Logging Via Registry