Detectionhighexperimental
Security Event Logging Disabled via MiniNt Registry Key - Registry Set
Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Apr 098839e550-52d7-4958-9f2f-e13c1e736838windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)'
condition: selectionFalse Positives
Highly Unlikely
References
MITRE ATT&CK
Techniques
Sub-techniques
CAR Analytics
2022-03-001 · CAR 2022-03-001
Rule Metadata
Rule ID
8839e550-52d7-4958-9f2f-e13c1e736838
Status
experimental
Level
high
Type
Detection
Created
Wed Apr 09
Path
rules/windows/registry/registry_set/registry_set_create_minint_key.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1562.002attack.t1112car.2022-03-001