Disable Security Events Logging Adding Reg Key MiniNt
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
Sigma rule (View on GitHub)
1title: Disable Security Events Logging Adding Reg Key MiniNt
2id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
3status: test
4description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
5references:
6 - https://twitter.com/0gtweet/status/1182516740955226112
7author: Ilyas Ochkov, oscd.community
8date: 2019-10-25
9modified: 2021-11-27
10tags:
11 - attack.defense-evasion
12 - attack.t1562.001
13 - attack.t1112
14logsource:
15 category: registry_event
16 product: windows
17detection:
18 selection:
19 # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
20 - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
21 EventType: 'CreateKey' # we don't want deletekey
22 # key rename
23 - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
24 condition: selection
25fields:
26 - EventID
27 - Image
28 - TargetObject
29 - NewName
30falsepositives:
31 - Unknown
32level: high
References
Related rules
- NetNTLM Downgrade Attack
- NetNTLM Downgrade Attack - Registry
- Reg Add Suspicious Paths
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change