Disabling Windows Defender WMI Autologger Session via Reg.exe

Rule Info

Name
Disabling Windows Defender WMI Autologger Session via Reg.exe
Author
Matt Anderson (Huntress)
Description
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Reference
https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
Date
2025-07-09 00:00:00
Modified
None
Id
a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
Tags
attack.defense-evasion attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6

Rule History

Author
Title
Date
Commit
Matt Anderson
Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion
2025-07-28
af492dc0f
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022