← Back to Explore
sigmahighHunting
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Detection Query
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_reg_path:
CommandLine|contains:
- \Control\WMI\Autologger\DefenderApiLogger\Start
- \Control\WMI\Autologger\DefenderAuditLogger\Start
selection_reg_add:
CommandLine|contains|all:
- add
- "0"
filter_main_enable:
CommandLine|contains: "0x00000001"
condition: all of selection_* and not 1 of filter_main_*
Author
Matt Anderson (Huntress)
Created
2025-07-09
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
Tags
attack.defense-evasionattack.t1562.001
Raw Content
title: Disabling Windows Defender WMI Autologger Session via Reg.exe
id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
references:
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
author: Matt Anderson (Huntress)
date: 2025-07-09
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_path:
CommandLine|contains:
- '\Control\WMI\Autologger\DefenderApiLogger\Start'
- '\Control\WMI\Autologger\DefenderAuditLogger\Start'
selection_reg_add:
CommandLine|contains|all:
- 'add'
- '0'
filter_main_enable:
CommandLine|contains: '0x00000001'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Highly unlikely
level: high