Potential AutoLogger Sessions Tampering
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging. The AutoLogger event tracing session records events up that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
detection:
selection_main:
TargetObject|contains: '\Control\WMI\Autologger\'
selection_values:
TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
- '\EventLog-'
- '\Defender'
TargetObject|endswith:
- '\Enabled'
- '\Start'
Details: DWORD (0x00000000)
filter_main_wevtutil:
Image: 'C:\Windows\system32\wevtutil.exe'
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
TargetObject|contains:
- '\DefenderApiLogger\'
- '\DefenderAuditLogger\'
condition: all of selection_* and not 1 of filter_main_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Simulations
Disable EventLog-Application Auto Logger Session Via Registry - Cmd
GUID: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
GUID: da86f239-9bd3-4e85-92ed-4a94ef111a1c
Disable EventLog-Application ETW Provider Via Registry - Cmd
GUID: 1cac9b54-810e-495c-8aac-989e0076583b
Disable EventLog-Application ETW Provider Via Registry - PowerShell
GUID: 8f907648-1ebf-4276-b0f0-e2678ca474f0
Tactics
Sub-techniques