AN0667: Analytic 0667

Correlates registry modifications to EventLog or WMI Autologger keys, suspicious use of Set-EtwTraceProvider, and Sysmon configuration changes. Defender sees interruption or redirection of ETW and log event collection.

EnterpriseAN0667AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

Analytic 0667 is a Windows-focused detection analytic for signs that logging and event collection are being interrupted, redirected, or weakened. Its business value is in validating whether the SOC would notice attempts to tamper with telemetry sources that incident responders, auditors, and detection programs depend on for evidence.

Executive priority

Prioritize this as a resilience and evidence-integrity control check. If Windows Event Log, WMI Autologger, ETW provider, or Sysmon collection can be modified without prompt review, investigations may lose visibility at the moment it is most needed. Leaders should ask whether logging changes are monitored, who is authorized to make them, and whether IR and compliance teams can prove telemetry integrity after a suspected incident.

Technical view

For Windows environments, validate correlation across registry modifications to EventLog or WMI Autologger keys, suspicious use of Set-EtwTraceProvider, and Sysmon configuration changes. Because no official detection logic is supplied, teams should treat this analytic as a coverage requirement: confirm the relevant events are collected, normalized, retained, and correlated in the SIEM or managed detection workflow. Tune carefully around legitimate administrative logging changes, endpoint management activity, and approved Sysmon configuration updates.

Likely telemetry

Windows registry modification events involving EventLog-related keys
Windows registry modification events involving WMI Autologger-related keys
Evidence of Set-EtwTraceProvider usage
Sysmon configuration change events or configuration deployment records
Windows Event Log and ETW collection health/status indicators

Detection direction

Inventory where EventLog, WMI Autologger, ETW, and Sysmon configuration changes are visible today.
Correlate configuration changes with approved change windows, administrator identities, and endpoint management tooling to reduce false positives.
Alert or review when multiple logging-control changes occur together, since the analytic specifically depends on correlation rather than a single event type.
Validate that the SOC can distinguish normal logging maintenance from unexpected interruption or redirection of event collection.
Check for blind spots where registry auditing, Sysmon telemetry, ETW visibility, or log-forwarding health is absent on Windows endpoints.

Mitigation priorities

Restrict and review administrative permissions that can modify Windows logging, ETW, WMI Autologger, and Sysmon settings.
Maintain approved baselines for logging and Sysmon configuration so unauthorized drift can be identified.
Use change management for planned logging modifications and make those records available to SOC analysts.
Monitor collection health and retention so telemetry interruption is visible as an operational signal, not only as a security alert.
Periodically test whether detection and IR teams can identify unauthorized logging configuration changes in Windows environments.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and no tactic or relationship context is provided. The key decision point is whether defenders can preserve and verify Windows telemetry integrity when registry, ETW, WMI Autologger, or Sysmon settings change.

Official detection logic is not provided, and no relationships to techniques, groups, software, mitigations, or campaigns were supplied. Local validation is required to determine event IDs, data source availability, false-positive patterns, and production coverage.

Official MITRE ATT&CK definition

Analytic 0667

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: eac0b5dfcac29c7d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`eac0b5dfcac2…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0667
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use