update: disable autologger session

regression_data/rules/windows/process_creation/proc_creaton_win_disable_autologger_session/d7b81144-b866-48a4-9bcc-275dc69d870e.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-27T06:00:34.838673Z"
+        }
+      },
+      "EventRecordID": 68018,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3636,
+          "ThreadID": 4340
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-27 06:00:34.828",
+      "ProcessGuid": "0197231E-7602-694F-5A02-000000000C00",
+      "ProcessId": 3668,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "\"C:\\WINDOWS\\system32\\reg.exe\" add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Application /v start /t REG_DWORD /d 0 /f",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-70FA-694F-AED1-150000000000",
+      "LogonId": "0x15d1ae",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0",
+      "ParentProcessGuid": "0197231E-7211-694F-D001-000000000C00",
+      "ParentProcessId": 9524,
+      "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+      "ParentCommandLine": "powershell  -ep bypass",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creaton_win_disable_autologger_session/info.yml

@@ -0,0 +1,13 @@
+id: 8a2cd57f-a488-4c04-8c1d-d9455d240331
+description: N/A
+date: 2025-12-26
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: d7b81144-b866-48a4-9bcc-275dc69d870e
+      title: Windows EventLog Autologger Session Disabled
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creaton_win_disable_autologger_session/d7b81144-b866-48a4-9bcc-275dc69d870e.evtx

regression_data/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions/f37b4bce-49d0-4087-9f5b-58bffda77316.json

@@ -0,0 +1,52 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 13,
+      "Version": 2,
+      "Level": 4,
+      "Task": 13,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-27T06:00:34.856744Z"
+        }
+      },
+      "EventRecordID": 68020,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3636,
+          "ThreadID": 4340
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "SetValue",
+      "UtcTime": "2025-12-27 06:00:34.853",
+      "ProcessGuid": "0197231E-7602-694F-5A02-000000000C00",
+      "ProcessId": 3668,
+      "Image": "C:\\WINDOWS\\system32\\reg.exe",
+      "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Application\\start",
+      "Details": "DWORD (0x00000000)",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions/info.yml

@@ -0,0 +1,13 @@
+id: 4212b819-b182-4fc8-8819-8a4f98e0badd
+description: N/A
+date: 2025-12-26
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: f37b4bce-49d0-4087-9f5b-58bffda77316
+      title: Potential AutoLogger Sessions Tampering
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions/f37b4bce-49d0-4087-9f5b-58bffda77316.evtx

rules/windows/process_creation/proc_creation_win_disable_autologger_session.yml

@@ -0,0 +1,77 @@
+title: Windows EventLog Autologger Session Disabled
+id: d7b81144-b866-48a4-9bcc-275dc69d870e
+related:
+    - id: f37b4bce-49d0-4087-9f5b-58bffda77316
+      type: similar
+status: experimental
+description: |
+    Detects attempts to disable Windows EventLog autologger sessions via registry modification.
+    The AutoLogger event tracing session records events that occur early in the operating system boot process.
+    Applications and device drivers can use the AutoLogger session to capture traces before the user logs in.
+    Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
+references:
+    - https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
+    - https://ptylu.github.io/content/report/report.html?report=25
+    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-12-25
+tags:
+    - attack.defense-evasion
+    - attack.t1562.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\reg.exe'
+              - '\powershell.exe'
+              - '\pwsh.exe'
+        - OriginalFileName:
+              - 'reg.exe'
+              - 'PowerShell.EXE'
+              - 'pwsh.dll'
+    selection_cli_action:
+        CommandLine|contains:
+            - 'add '
+            - 'Set-ItemProperty'
+            - 'New-ItemProperty'
+            - 'si ' # Set-ItemProperty alias
+    selection_cli_key:
+        CommandLine|contains|all:
+            - '\SYSTEM\CurrentControlSet\Control\WMI\Autologger\'
+            - 'DWORD'
+        CommandLine|contains:
+            - 'Start' # Key used to disable specific autologger session like EventLog-Application, EventLog-System etc.
+            - 'Enabled' # Key used to disable specific provider of autologger session
+    selection_cli_disable:
+        - CommandLine|endswith: ' 0'
+        - CommandLine|contains:
+              - ' 0 '
+              - ' 0x0 '
+              - '0x0"'
+              - '0"'
+              - '0x00000000'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creaton_win_disable_autologger_session/info.yml
+simulation:
+    - type: atomic-red-team
+      name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
+      technique: T1562.001
+      atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
+    - type: atomic-red-team
+      name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
+      technique: T1562.001
+      atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
+    - type: atomic-red-team
+      name: Disable EventLog-Application ETW Provider Via Registry - Cmd
+      technique: T1562.001
+      atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
+    - type: atomic-red-team
+      name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
+      technique: T1562.001
+      atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
+

rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml

@@ -1,16 +1,26 @@
 title: Potential AutoLogger Sessions Tampering
 id: f37b4bce-49d0-4087-9f5b-58bffda77316
+related:
+    - id: d7b81144-b866-48a4-9bcc-275dc69d870e
+      type: similar
 status: test
-description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging
+description: |
+    Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.
+    The AutoLogger event tracing session records events up that occur early in the operating system boot process.
+    Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.
+    Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
 references:
     - https://twitter.com/MichalKoczwara/status/1553634816016498688
     - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
     - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
+    - https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
+    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-01
-modified: 2025-10-07
+modified: 2025-12-26
 tags:
     - attack.defense-evasion
+    - attack.t1562.002
 logsource:
     category: registry_set
     product: windows
@@ -22,7 +32,7 @@ detection:
             - '\EventLog-'
             - '\Defender'
         TargetObject|endswith:
-            - '\Enable'
+            - '\Enabled'
             - '\Start'
         Details: DWORD (0x00000000)
     filter_main_wevtutil:
@@ -40,3 +50,21 @@ detection:
 falsepositives:
     - Unknown
 level: high
+regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions/info.yml
+simulation:
+    - type: atomic-red-team
+      name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
+      technique: T1562.001
+      atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
+    - type: atomic-red-team
+      name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
+      technique: T1562.001
+      atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
+    - type: atomic-red-team
+      name: Disable EventLog-Application ETW Provider Via Registry - Cmd
+      technique: T1562.001
+      atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
+    - type: atomic-red-team
+      name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
+      technique: T1562.001
+      atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0