← Back to Explore
splunk_escuAnomaly
Windows Impair Defenses Disable Auto Logger Session
The following analytic detects the disabling of an AutoLogger session or one of its providers, by identifying changes to the Registry values "Start" and "Enabled" part of the "\WMI\Autologger\" key path. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as attackers and adversaries can leverage this in order to evade defense and blind EDRs and log ingest tooling. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint.
MITRE ATT&CK
Detection Query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\WMI\\Autologger\\*" (Registry.registry_value_name="Start" OR Registry.registry_value_name="Enabled") Registry.registry_value_data ="0x00000000" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_auto_logger_session_filter`Author
Nasreddine Bencherchali, Splunk
Created
2026-04-15
Data Sources
Sysmon EventID 13
References
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/
- https://isc.sans.edu/diary/rss/28628
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
Tags
Windows Defense Evasion TacticsWindows Registry Abuse
Raw Content
name: Windows Impair Defenses Disable Auto Logger Session
id: dc6a5613-d024-47e7-9997-ab6477a483d3
version: 7
date: '2026-04-15'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
description: The following analytic detects the disabling of an AutoLogger session or one of its providers, by identifying changes to the Registry values "Start" and "Enabled" part of the "\WMI\Autologger\" key path. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as attackers and adversaries can leverage this in order to evade defense and blind EDRs and log ingest tooling. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint.
data_source:
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\WMI\\Autologger\\*" (Registry.registry_value_name="Start" OR Registry.registry_value_name="Enabled") Registry.registry_value_data ="0x00000000" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_auto_logger_session_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.
known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.
references:
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/
- https://isc.sans.edu/diary/rss/28628
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
rba:
message: Windows Auto Logger Session or Provider registry value set to 'disabled' on $dest$
risk_objects:
- field: dest
type: system
score: 20
threat_objects: []
tags:
analytic_story:
- Windows Defense Evasion Tactics
- Windows Registry Abuse
asset_type: Endpoint
mitre_attack_id:
- T1562.001
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog