Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,731
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 3.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Windows EventLog Autologger Session Registry Modification Via CommandLine
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Windows EventLog Autologger Session Registry Modification Via CommandLine
Using Splunk · Default · sigma-cli 3.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion3.0.2
title: Windows EventLog Autologger Session Registry Modification Via CommandLine
id: d7b81144-b866-48a4-9bcc-275dc69d870e
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects attempts to disable Windows EventLog autologger sessions via registry modification.
The AutoLogger event tracing session records events that occur early in the operating system boot process.
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in.
Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://ptylu.github.io/content/report/report.html?report=25
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-evasion
- attack.t1562.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\reg.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'reg.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_action:
CommandLine|contains:
- 'add '
- 'Set-ItemProperty'
- 'New-ItemProperty'
- 'si ' # Set-ItemProperty alias
selection_cli_base:
CommandLine|contains: '\Control\WMI\Autologger\'
selection_cli_key:
CommandLine|contains:
- 'Start' # Key used to disable specific autologger session like EventLog-Application, EventLog-System etc.
- 'Enabled' # Key used to disable specific provider of autologger session
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification/info.yml
simulation:
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
technique: T1562.001
atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
technique: T1562.001
atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - Cmd
technique: T1562.001
atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
technique: T1562.001
atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification.yml