Detectionhighexperimental

Windows EventLog Autologger Session Registry Modification Via CommandLine

Detects attempts to disable Windows EventLog autologger sessions via registry modification. The AutoLogger event tracing session records events that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu Dec 25d7b81144-b866-48a4-9bcc-275dc69d870ewindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith:
              - '\reg.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'reg.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli_action:
        CommandLine|contains:
            - 'add '
            - 'Set-ItemProperty'
            - 'New-ItemProperty'
            - 'si ' # Set-ItemProperty alias
    selection_cli_base:
        CommandLine|contains: '\Control\WMI\Autologger\'
    selection_cli_key:
        CommandLine|contains:
            - 'Start' # Key used to disable specific autologger session like EventLog-Application, EventLog-System etc.
            - 'Enabled' # Key used to disable specific provider of autologger session
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Testing & Validation

Simulations

atomic-red-teamT1562.001

View on ART

Disable EventLog-Application Auto Logger Session Via Registry - Cmd

GUID: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab

atomic-red-teamT1562.001

View on ART

Disable EventLog-Application Auto Logger Session Via Registry - PowerShell

GUID: da86f239-9bd3-4e85-92ed-4a94ef111a1c

atomic-red-teamT1562.001

View on ART

Disable EventLog-Application ETW Provider Via Registry - Cmd

GUID: 1cac9b54-810e-495c-8aac-989e0076583b

atomic-red-teamT1562.001

View on ART

Disable EventLog-Application ETW Provider Via Registry - PowerShell

GUID: 8f907648-1ebf-4276-b0f0-e2678ca474f0

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.002 · Disable Windows Event Logging

Related Rules

SimilarDetectionhigh

Potential AutoLogger Sessions Tampering

Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging. The AutoLogger event tracing session records events up that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

d7b81144-b866-48a4-9bcc-275dc69d870e

Status

experimental

Level

high

Type

Detection

Created

Thu Dec 25

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification.yml

Raw Tags

attack.defense-evasionattack.t1562.002

View on GitHub