Disable Security Events Logging Adding Reg Key MiniNt

calendar Oct 26, 2022 · attack.defense_evasion attack.t1562.001 attack.t1112  ·
Share on: linkedin copy

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.

Sigma rule (View on GitHub)

 1title: Disable Security Events Logging Adding Reg Key MiniNt
 2id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
 3status: test
 4description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
 5references:
 6    - https://twitter.com/0gtweet/status/1182516740955226112
 7author: Ilyas Ochkov, oscd.community
 8date: 2019/10/25
 9modified: 2021/11/27
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13    - attack.t1112
14logsource:
15    category: registry_event
16    product: windows
17detection:
18    selection:
19    # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
20        - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
21          EventType: 'CreateKey'    # we don't want deletekey
22    # key rename
23        - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
24    condition: selection
25fields:
26    - EventID
27    - Image
28    - TargetObject
29    - NewName
30falsepositives:
31    - Unknown
32level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top