Disabling Windows Defender WMI Autologger Session via Reg.exe (a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6)

Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Disabling Windows Defender WMI Autologger Session via Reg.exe (a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6)	Sigma-Rules	1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2