Detectionhighexperimental

Security Event Logging Disabled via MiniNt Registry Key - Process

Detects attempts to disable security event logging by adding the `MiniNt` registry key. This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Apr 091a4bd6af-99ac-4466-b5b2-7b72b4a05462windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_reg_img:
        # Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_cmd:
        CommandLine|contains|all:
            - ' add '
            - '\SYSTEM\CurrentControlSet\Control\MiniNt'
    selection_powershell_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\powershell_ise.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_powershell_cmd1:
        CommandLine|contains:
            - 'New-Item '
            - 'ni '
    selection_powershell_cmd2:
        CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
    condition: all of selection_reg_* or all of selection_powershell_*

False Positives

Highly Unlikely

References

Resolving title…

hackingarticles.in

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1112 · Modify Registry

Sub-techniques

T1562.002 · Disable Windows Event Logging

CAR Analytics

2022-03-001 · CAR 2022-03-001

Related Rules

SimilarDetectionhigh

Security Event Logging Disabled via MiniNt Registry Key - Registry Set

Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

1a4bd6af-99ac-4466-b5b2-7b72b4a05462

Status

experimental

Level

high

Type

Detection

Created

Wed Apr 09

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1562.002attack.t1112car.2022-03-001

View on GitHub