{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1562.002/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.defense-evasion","attack.t1562.002"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable Windows EventLog autologger sessions by modifying specific registry keys, thus evading detection and preventing security monitoring of early boot activities and system events. The AutoLogger event tracing session records events early in the operating system boot process, allowing applications and device drivers to capture traces before user login. Disabling these sessions can blind security monitoring tools, especially those focused on early boot activity, making it harder to detect malicious activity. This technique allows attackers to operate with less scrutiny during critical phases of system startup, potentially enabling persistence or other malicious objectives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through exploitation of a vulnerability or through stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker targets registry keys under \u003ccode\u003e\\Control\\WMI\\Autologger\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eStart\u003c/code\u003e value to disable specific autologger sessions like EventLog-Application or EventLog-System.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u003ccode\u003eEnabled\u003c/code\u003e value to disable specific providers of an autologger session.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the command, changing the registry value to disable the targeted autologger session or provider.\u003c/li\u003e\n\u003cli\u003eThe system no longer records events for the disabled autologger session or provider.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling the Windows EventLog autologger can severely impact an organization\u0026rsquo;s ability to detect and respond to threats. Security monitoring tools that rely on these logs will be unable to record early boot activities and system events, leading to a gap in visibility. This can allow attackers to establish persistence mechanisms, escalate privileges, or perform other malicious activities without being detected. The impact could range from undetected malware infections to significant data breaches, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWindows EventLog Autologger Session Registry Modification Via CommandLine\u003c/code\u003e to your SIEM and tune for your environment to detect this behavior in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, or \u003ccode\u003epwsh.exe\u003c/code\u003e with command-line arguments that contain \u003ccode\u003e\\Control\\WMI\\Autologger\\\u003c/code\u003e and either \u003ccode\u003eStart\u003c/code\u003e or \u003ccode\u003eEnabled\u003c/code\u003e based on the Sigma rule\u0026rsquo;s detections.\u003c/li\u003e\n\u003cli\u003eImplement Atomic Red Team simulations to validate detections and train security staff.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of registry modifications related to Autologger sessions to determine if they are legitimate or malicious.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:22:00Z","date_published":"2024-01-09T14:22:00Z","id":"/briefs/2024-01-autologger-disable/","summary":"Adversaries may attempt to disable Windows EventLog autologger sessions via registry modification to evade detection and prevent security monitoring of early boot activities and system events.","title":"Windows EventLog Autologger Session Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-autologger-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.defense-evasion","attack.t1562.002"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Windows Event Tracing (ETW) and AutoLogger sessions to evade detection. The AutoLogger session is crucial as it records events early in the operating system boot process, providing security solutions with essential telemetry. This technique involves tampering with registry keys associated with AutoLogger sessions, specifically disabling or stopping them by setting DWORD values to 0. This is done to blind security solutions, preventing them from monitoring early boot activities and critical system events. Disabling these sessions allows adversaries to operate with less scrutiny, making it harder to detect malicious activities during the initial phases of a system compromise. This technique has been observed in attacks involving IcedID and XingLocker ransomware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an as-yet-unspecified method (e.g., exploitation, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker gains administrative privileges on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies AutoLogger sessions to disable, focusing on those relevant to security monitoring, such as \u0026lsquo;\\EventLog-\u0026rsquo; or \u0026lsquo;\\Defender\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to disable the targeted AutoLogger sessions. This involves setting the \u0026lsquo;Enabled\u0026rsquo; or \u0026lsquo;Start\u0026rsquo; DWORD values under the \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\u003c/code\u003e registry key to 0.\u003c/li\u003e\n\u003cli\u003eThe attacker may use tools like \u003ccode\u003ewevtutil.exe\u003c/code\u003e or directly interact with the registry via PowerShell or \u003ccode\u003ecmd.exe\u003c/code\u003e to make these changes.\u003c/li\u003e\n\u003cli\u003eThe security monitoring capabilities reliant on the tampered AutoLogger sessions are effectively impaired or disabled.\u003c/li\u003e\n\u003cli\u003eWith logging impaired, the attacker proceeds with the main objectives, such as lateral movement, data exfiltration, or ransomware deployment, with a reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to compromise the system, steal data, or deploy ransomware, bypassing security measures that rely on early boot and system event logging.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with AutoLogger sessions can significantly reduce the visibility of security solutions, allowing attackers to operate undetected for extended periods. This can lead to delayed incident response, increased dwell time, and greater potential for damage, including data breaches, financial losses, and reputational damage. The sectors most at risk are those heavily reliant on Windows-based systems and proactive security monitoring. The DFIR Report documented a case where adversaries moved from IcedID infection to XingLocker ransomware deployment within 24 hours, highlighting the speed and potential impact of these attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential AutoLogger Sessions Tampering\u003c/code\u003e to your SIEM to detect malicious registry modifications related to AutoLogger sessions.\u003c/li\u003e\n\u003cli\u003eInvestigate any registry modifications under the \u003ccode\u003e\\Control\\WMI\\Autologger\\\u003c/code\u003e path, focusing on changes to \u003ccode\u003eEnabled\u003c/code\u003e or \u003ccode\u003eStart\u003c/code\u003e values, as identified in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewevtutil.exe\u003c/code\u003e modifying registry keys related to AutoLogger, as specified in the \u003ccode\u003efilter_main_wevtutil\u003c/code\u003e section of the Sigma rule.\u003c/li\u003e\n\u003cli\u003eCorrelate registry modification events with process execution events to identify the source of the tampering, paying close attention to processes originating from the Windows Defender platform, as outlined in the \u003ccode\u003efilter_main_defender\u003c/code\u003e section of the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions with robust registry monitoring capabilities to identify and block unauthorized modifications to AutoLogger settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-autologger-tampering/","summary":"Attackers may disable AutoLogger sessions by modifying specific registry values to evade detection and prevent security monitoring of early boot activities and system events, a technique observed in intrusions involving IcedID and XingLocker ransomware.","title":"Windows AutoLogger Session Tampering Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-autologger-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1562.002","version":"https://jsonfeed.org/version/1.1"}