Detectionhighexperimental
Security Event Logging Disabled via MiniNt Registry Key - Process
Detects attempts to disable security event logging by adding the `MiniNt` registry key. This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Apr 091a4bd6af-99ac-4466-b5b2-7b72b4a05462windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic5 selectors
detection:
selection_reg_img:
# Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cmd:
CommandLine|contains|all:
- ' add '
- '\SYSTEM\CurrentControlSet\Control\MiniNt'
selection_powershell_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_powershell_cmd1:
CommandLine|contains:
- 'New-Item '
- 'ni '
selection_powershell_cmd2:
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: all of selection_reg_* or all of selection_powershell_*False Positives
Highly Unlikely
References
MITRE ATT&CK
Techniques
Sub-techniques
CAR Analytics
2022-03-001 · CAR 2022-03-001
Rule Metadata
Rule ID
1a4bd6af-99ac-4466-b5b2-7b72b4a05462
Status
experimental
Level
high
Type
Detection
Created
Wed Apr 09
Path
rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1562.002attack.t1112car.2022-03-001