Disable Security Events Logging Adding Reg Key MiniNt
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Sigma rule (View on GitHub)
1title: Disable Security Events Logging Adding Reg Key MiniNt
2id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
3status: test
4description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
5references:
6 - https://twitter.com/0gtweet/status/1182516740955226112
7 - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
8author: Ilyas Ochkov, oscd.community
9date: 2019-10-25
10modified: 2021-11-27
11tags:
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.t1562.002
15 - attack.t1112
16 - car.2022-03-001
17logsource:
18 category: registry_event
19 product: windows
20detection:
21 selection:
22 # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
23 - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
24 EventType: 'CreateKey' # we don't want deletekey
25 # key rename
26 - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
27 condition: selection
28fields:
29 - EventID
30 - Image
31 - TargetObject
32 - NewName
33falsepositives:
34 - Unknown
35level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Learn how attackers bypass detection using Windows Event Logging defense evasion techniques with tools, scripts, and PowerShell.
Read More
Related rules
- Security Event Logging Disabled via MiniNt Registry Key - Process
- Security Event Logging Disabled via MiniNt Registry Key - Registry Set
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature