EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Potential AutoLogger Sessions Tampering

Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging

Detection Query

selection_main:
  TargetObject|contains: \System\CurrentControlSet\Control\WMI\Autologger\
selection_values:
  TargetObject|contains:
    - \EventLog-
    - \Defender
  TargetObject|endswith:
    - \Enable
    - \Start
  Details: DWORD (0x00000000)
filter_main_wevtutil:
  Image: C:\Windows\system32\wevtutil.exe
filter_main_defender:
  Image|startswith:
    - C:\ProgramData\Microsoft\Windows Defender\Platform\
    - C:\Program Files\Windows Defender\
    - C:\Program Files (x86)\Windows Defender\
  Image|endswith: \MsMpEng.exe
  TargetObject|contains:
    - \DefenderApiLogger\
    - \DefenderAuditLogger\
condition: all of selection_* and not 1 of filter_main_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-08-01

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.defense-evasion
Raw Content
title: Potential AutoLogger Sessions Tampering
id: f37b4bce-49d0-4087-9f5b-58bffda77316
status: test
description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging
references:
    - https://twitter.com/MichalKoczwara/status/1553634816016498688
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2025-10-07
tags:
    - attack.defense-evasion
logsource:
    category: registry_set
    product: windows
detection:
    selection_main:
        TargetObject|contains: '\System\CurrentControlSet\Control\WMI\Autologger\'
    selection_values:
        TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
            - '\EventLog-'
            - '\Defender'
        TargetObject|endswith:
            - '\Enable'
            - '\Start'
        Details: DWORD (0x00000000)
    filter_main_wevtutil:
        Image: 'C:\Windows\system32\wevtutil.exe'
    filter_main_defender:
        Image|startswith:
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\Program Files (x86)\Windows Defender\'
        Image|endswith: '\MsMpEng.exe'
        TargetObject|contains:
            - '\DefenderApiLogger\'
            - '\DefenderAuditLogger\'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high