Windows AutoLogger Session Disabled via Registry Modification

Attackers are known to disable Windows AutoLogger sessions to impair defenses and evade detection. This technique involves modifying specific registry values associated with AutoLogger sessions and their providers, effectively blinding EDR solutions and log ingest tools. By setting the “Start” or “Enabled” values under the \WMI\Autologger\ registry key to 0x00000000, adversaries can stop the collection of crucial event data. This activity is often observed post-compromise, as a means to conceal further malicious actions and maintain persistence on the affected system. Malware such as IcedID and ransomware variants have been observed using similar techniques to impair logging and detection capabilities. The scope of this threat includes any Windows system where adversaries have gained sufficient privileges to modify registry settings related to event logging.

Attack Chain

1. Initial Access: The attacker gains initial access to the target system through methods such as phishing or exploiting a software vulnerability.
2. Privilege Escalation: The attacker escalates privileges to gain administrative access, allowing them to modify system-level settings.
3. Discovery: The attacker identifies the registry keys associated with Windows AutoLogger sessions, typically located under HKLM\System\CurrentControlSet\Control\WMI\Autologger.
4. Defense Evasion: The attacker modifies the Start or Enabled registry values for specific AutoLogger sessions or providers within the \WMI\Autologger\ path. The values are set to 0x00000000 to disable the logging session.
5. Persistence: The attacker may establish persistence through various methods.
6. Lateral Movement: The attacker moves laterally to other systems on the network, repeating the defense evasion steps to blind security tools across the environment.
7. Data Exfiltration/Ransomware Deployment: With logging impaired, the attacker proceeds to exfiltrate sensitive data or deploy ransomware, hindering incident response efforts.

Impact

Successful execution of this attack can severely impair an organization’s ability to detect and respond to security incidents. By disabling AutoLogger sessions, attackers effectively blind EDR solutions and prevent the collection of critical event data. This can lead to delayed detection of malicious activity, increased dwell time, and ultimately, greater damage from data breaches or ransomware attacks. Several campaigns, including those involving IcedID and XingLocker ransomware, have leveraged similar techniques.

Recommendation

• Enable Sysmon EventID 13 to monitor registry modifications, as specified in the data_source section.
• Deploy the Sigma rule Disable AutoLogger Session to detect changes to AutoLogger registry values.
• Investigate any alerts generated by the Sigma rule Disable AutoLogger Session to determine if the activity is malicious.
• Review and harden registry permissions to prevent unauthorized modifications to critical system settings.
• Utilize the windows_impair_defenses_disable_auto_logger_session_filter macro (referenced in the original Splunk search) to tune detections and reduce false positives.