Query Details
ETW Autologger Tampering To Impair Security Auditing
Query
# *ETW Autologger Tampering to Impair Security Auditing*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1562.006 | Indicator Blocking | https://attack.mitre.org/techniques/T1562/006/ |
#### Description
Detects attempts to tamper with Event Tracing for Windows (ETW) Autologger settings, specifically targeting security-relevant loggers. This rule identifies modifications, creations, or deletions of registry keys and values under `Control\WMI\Autologger` that could disable or redirect logging for critical security events. It focuses on actions that set 'Start', 'Enabled', 'EnableFlags', 'FileMax', or 'MaxFileSize' to a disabling value (0) or delete the corresponding keys/values, while filtering out legitimate system processes.
#### Risk
Defense Evasion
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
#### References
-
## Defender XDR
```KQL
// Detect ETW Autologger tampering to blind security auditing
// Covers: value modification, key/value deletion, provider-level disabling
// MITRE: T1562.006 – Impair Defenses: Indicator Blocking
let SensitiveAutologgers = dynamic([
"EventLog-Security",
"EventLog-System",
"EventLog-Application",
"DefenderApiLogger",
"DefenderAuditLogger",
"Microsoft-Windows-Threat-Intelligence",
"SenseEventLog",
"WdiContextLog"
]);
let LegitWriters = dynamic([
"TrustedInstaller.exe",
"msiexec.exe",
"svchost.exe"
]);
DeviceRegistryEvents
| where TimeGenerated > ago(7d)
// Only write/delete actions – no reads
| where ActionType in (
"RegistryValueSet",
"RegistryKeyCreated",
"RegistryKeyDeleted",
"RegistryValueDeleted"
)
| where RegistryKey has @"\Control\WMI\Autologger\"
| where RegistryValueName in~ ("Start", "Enabled", "EnableFlags", "FileMax", "MaxFileSize")
or ActionType in ("RegistryKeyDeleted", "RegistryValueDeleted")
| where RegistryValueData in ("0", "0x0", "0x00000000", "00000000")
or ActionType in ("RegistryKeyDeleted", "RegistryValueDeleted")
// Focus on security-relevant Autologgers (optionally comment out for a broader search)
| where RegistryKey has_any (SensitiveAutologgers)
| where not(
InitiatingProcessFileName in~ (LegitWriters)
and InitiatingProcessFolderPath startswith @"C:\Windows\System32\"
and InitiatingProcessParentFileName in~ ("services.exe", "wininit.exe")
)
| extend ProcessRisk = case(
InitiatingProcessFolderPath !startswith @"C:\Windows\", "High – Non-System Path",
InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe"), "High – Scripting Engine",
InitiatingProcessFileName in~ ("reg.exe", "regsvr32.exe", "regasm.exe"), "Medium – Reg Tool",
"Low – System Binary"
)
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountUpn,
ActionType,
RegistryKey,
RegistryValueName,
RegistryValueData,
InitiatingProcessFileName,
InitiatingProcessFolderPath,
InitiatingProcessCommandLine,
InitiatingProcessParentFileName,
ProcessRisk
| sort by TimeGenerated desc
```
Explanation
This query is designed to detect suspicious activities that might indicate tampering with Event Tracing for Windows (ETW) Autologger settings, which are crucial for security auditing. Specifically, it looks for changes to registry keys and values related to ETW Autologgers that are important for logging security events. The query focuses on actions that might disable or redirect logging, such as setting certain values to zero or deleting keys/values.
Here's a simple breakdown of what the query does:
-
Sensitive Autologgers: It defines a list of important Autologgers that are relevant to security, such as "EventLog-Security" and "DefenderApiLogger".
-
Legitimate Writers: It identifies trusted system processes like "TrustedInstaller.exe" and "msiexec.exe" that are allowed to modify these settings without raising suspicion.
-
Time Frame: The query looks at registry events from the past 7 days.
-
Action Types: It filters for registry actions that involve writing or deleting keys/values, ignoring simple read actions.
-
Registry Path: It specifically targets changes under the
Control\WMI\Autologgerregistry path. -
Value Changes: It checks for changes that set certain values to zero or involve deletion, which could indicate an attempt to disable logging.
-
Security Focus: The query narrows down to changes affecting the sensitive Autologgers defined earlier.
-
Exclusion of Legitimate Processes: It excludes changes made by legitimate system processes running from trusted locations.
-
Risk Assessment: It assigns a risk level to the process that initiated the change, based on its characteristics, such as whether it's a known scripting engine or a system binary.
-
Output: The query outputs relevant details like the time of the event, device name, user account, action type, registry details, and the risk level of the process involved.
Overall, this query helps identify potential security threats by flagging unauthorized or suspicious modifications to critical logging settings in Windows.
Details
Benjamin Zulliger
Released: June 8, 2026
Tables
Keywords
Operators