Detection rules › Sigma
Security Event Logging Disabled via MiniNt Registry Key - Process
Detects attempts to disable security event logging by adding the MiniNt registry key. This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry |
| Defense Evasion | T1112 Modify Registry, T1562.002 Impair Defenses: Disable Windows Event Logging |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_reg_img
or:
Image|endswith: '\reg.exe'
OriginalFileName: reg.exe
Stage 2: all of selection_reg_cmd
CommandLine|contains: ' add '
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
Stage 3: all of selection_powershell_img
or:
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll
Stage 4: all of selection_powershell_cmd1
or:
CommandLine|contains: 'New-Item '
CommandLine|contains: 'ni '
Stage 5: all of selection_powershell_cmd2
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|