From c04599ece24491a87b710a440eb80f2e33c902cd Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Wed, 9 Apr 2025 15:44:00 +0545 Subject: [PATCH 01/11] feat: Security Event Logging Disabled Via MiniNt Registry Key --- ...n_event_logging_disable_via_key_minint.yml | 47 +++++++++++++++++++ ...y_events_logging_adding_reg_key_minint.yml | 26 +++++++--- 2 files changed, 66 insertions(+), 7 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml new file mode 100644 index 00000000000..07534b1bd9f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -0,0 +1,47 @@ +title: Security Event Logging Disabled Via MiniNt Registry Key +id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 +related: + - id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044 # Disable Security Events Logging Adding Reg Key MiniNt + type: similar +status: experimental +description: | + Detects attempts to disable security event logging by adding MiniNt registry key. + This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. + Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities. +references: + - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-04-09 +tags: + - attack.defense-evasion + - attack.t1562.002 + - car.2022-03-001 +logsource: + category: process_creation + product: windows +detection: + selection_reg_img: + # Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt" + - Image|endswith: '\reg.exe' + - OriginalFileName: 'reg.exe' + selection_reg_cmd: + CommandLine|contains|all: + - 'add' + - '\SYSTEM\CurrentControlSet + - '\Control\MiniNt' + selection_powershell_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - '\powershell_ise.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_powershell_cmd: + CommandLine|contains|all: + - 'New-Item' + - '\SYSTEM\CurrentControlSet\Control\MiniNt' + condition: all of selection_reg_img_* or all of selection_powershell_reg_* +falsepositives: + - Highly Unlikely +level: high diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index 3c289fed49d..e47c09f52e0 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -1,32 +1,44 @@ title: Disable Security Events Logging Adding Reg Key MiniNt id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044 +related: + - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key + type: similar status: test -description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. +description: | + Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. + Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. + Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. references: - https://twitter.com/0gtweet/status/1182516740955226112 -author: Ilyas Ochkov, oscd.community + - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ +author: Ilyas Ochkov, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2019-10-25 -modified: 2021-11-27 +modified: 2025-04-09 tags: - attack.defense-evasion - - attack.t1562.001 + - attack.t1562.002 - attack.t1112 + - car.2022-03-001 logsource: category: registry_event product: windows detection: - selection: + selection_cond_1: # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' EventType: 'CreateKey' # we don't want deletekey # key rename - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' - condition: selection + selection_cond_2: + TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)' + EventType: 'SetValue' + Details: (Empty) + condition: 1 of selection_cond_* fields: - EventID - Image - TargetObject - NewName falsepositives: - - Unknown + - Highly Unlikely level: high From 068bff7a0b73941932d6953fab1078bd62feb250 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Wed, 9 Apr 2025 15:51:46 +0545 Subject: [PATCH 02/11] fix: linting issues --- ...creation_win_event_logging_disable_via_key_minint.yml | 9 ++++----- ...ble_security_events_logging_adding_reg_key_minint.yml | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml index 07534b1bd9f..18764cb7aab 100644 --- a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -26,9 +26,8 @@ detection: - OriginalFileName: 'reg.exe' selection_reg_cmd: CommandLine|contains|all: - - 'add' - - '\SYSTEM\CurrentControlSet - - '\Control\MiniNt' + - 'add' + - '\SYSTEM\CurrentControlSet\Control\MiniNt' selection_powershell_img: - Image|endswith: - '\powershell.exe' @@ -39,8 +38,8 @@ detection: - 'pwsh.dll' selection_powershell_cmd: CommandLine|contains|all: - - 'New-Item' - - '\SYSTEM\CurrentControlSet\Control\MiniNt' + - 'New-Item' + - '\SYSTEM\CurrentControlSet\Control\MiniNt' condition: all of selection_reg_img_* or all of selection_powershell_reg_* falsepositives: - Highly Unlikely diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index e47c09f52e0..3e2005a2799 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -32,7 +32,7 @@ detection: selection_cond_2: TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)' EventType: 'SetValue' - Details: (Empty) + Details: '(Empty)' condition: 1 of selection_cond_* fields: - EventID From 1be9fbb616159c1827934d3a8fb5980d421596c5 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Wed, 9 Apr 2025 15:52:17 +0545 Subject: [PATCH 03/11] fix: condition typo --- .../proc_creation_win_event_logging_disable_via_key_minint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml index 18764cb7aab..d6c1c00b3dd 100644 --- a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -40,7 +40,7 @@ detection: CommandLine|contains|all: - 'New-Item' - '\SYSTEM\CurrentControlSet\Control\MiniNt' - condition: all of selection_reg_img_* or all of selection_powershell_reg_* + condition: all of selection_reg_img_* or all of selection_powershell_* falsepositives: - Highly Unlikely level: high From 56a086f88b33c3d1069fbebe74a3c9a1d237b7a4 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Wed, 9 Apr 2025 15:55:10 +0545 Subject: [PATCH 04/11] fix: condition typo --- .../proc_creation_win_event_logging_disable_via_key_minint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml index d6c1c00b3dd..a41fffe158a 100644 --- a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -40,7 +40,7 @@ detection: CommandLine|contains|all: - 'New-Item' - '\SYSTEM\CurrentControlSet\Control\MiniNt' - condition: all of selection_reg_img_* or all of selection_powershell_* + condition: all of selection_reg_* or all of selection_powershell_* falsepositives: - Highly Unlikely level: high From 053a75f13e8ca8baf371c188125a31e14524482e Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Fri, 11 Apr 2025 15:24:50 +0545 Subject: [PATCH 05/11] fix: logsource --- ...n_event_logging_disable_via_key_minint.yml | 4 +-- ...y_events_logging_adding_reg_key_minint.yml | 24 +++++--------- .../registry_set_create_minint_key.yml | 31 +++++++++++++++++++ 3 files changed, 40 insertions(+), 19 deletions(-) create mode 100644 rules/windows/registry/registry_set/registry_set_create_minint_key.yml diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml index a41fffe158a..567c9e856c4 100644 --- a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -1,7 +1,7 @@ -title: Security Event Logging Disabled Via MiniNt Registry Key +title: Security Event Logging Disabled Via MiniNt Registry Key - Process id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 related: - - id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044 # Disable Security Events Logging Adding Reg Key MiniNt + - id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set type: similar status: experimental description: | diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index 3e2005a2799..b9fe796c0bf 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -1,19 +1,13 @@ title: Disable Security Events Logging Adding Reg Key MiniNt id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044 -related: - - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key - type: similar status: test -description: | - Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. - Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. - Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. +description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. references: - https://twitter.com/0gtweet/status/1182516740955226112 - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ -author: Ilyas Ochkov, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems) +author: Ilyas Ochkov, oscd.community date: 2019-10-25 -modified: 2025-04-09 +modified: 2021-11-27 tags: - attack.defense-evasion - attack.t1562.002 @@ -23,22 +17,18 @@ logsource: category: registry_event product: windows detection: - selection_cond_1: + selection: # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' EventType: 'CreateKey' # we don't want deletekey # key rename - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' - selection_cond_2: - TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)' - EventType: 'SetValue' - Details: '(Empty)' - condition: 1 of selection_cond_* + condition: selection fields: - EventID - Image - TargetObject - NewName falsepositives: - - Highly Unlikely -level: high + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml new file mode 100644 index 00000000000..71357a3d415 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml @@ -0,0 +1,31 @@ +title: Security Event Logging Disabled Via MiniNt Registry Key - Registry Set +id: 8839e550-52d7-4958-9f2f-e13c1e736838 +related: + - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key + type: similar +status: experimental +description: | + Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. + Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. + Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. +references: + - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-04-09 +tags: + - attack.defense-evasion + - attack.t1562.002 + - attack.t1112 + - car.2022-03-001 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)' + EventType: 'SetValue' + Details: '(Empty)' + condition: selection +falsepositives: + - Highly Unlikely +level: high From d381f79fbd2db90586ff2d06bab74732a07f19b3 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Fri, 11 Apr 2025 15:27:01 +0545 Subject: [PATCH 06/11] fix: nonewline at the end error --- ...nt_disable_security_events_logging_adding_reg_key_minint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index b9fe796c0bf..1323dbf50e3 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -31,4 +31,4 @@ fields: - NewName falsepositives: - Unknown -level: high \ No newline at end of file +level: high From 323033bc2ffa53f2743bda0a797bbf1e31db51e7 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 1 Oct 2025 12:37:32 +0200 Subject: [PATCH 07/11] fix: wording --- ...proc_creation_win_event_logging_disable_via_key_minint.yml | 4 ++-- .../registry/registry_set/registry_set_create_minint_key.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml index 567c9e856c4..f229f3237f0 100644 --- a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -1,11 +1,11 @@ -title: Security Event Logging Disabled Via MiniNt Registry Key - Process +title: Security Event Logging Disabled via MiniNt Registry Key - Process id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 related: - id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set type: similar status: experimental description: | - Detects attempts to disable security event logging by adding MiniNt registry key. + Detects attempts to disable security event logging by adding the `MiniNt` registry key. This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities. references: diff --git a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml index 71357a3d415..88a4e3a0d38 100644 --- a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml +++ b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml @@ -1,11 +1,11 @@ -title: Security Event Logging Disabled Via MiniNt Registry Key - Registry Set +title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set id: 8839e550-52d7-4958-9f2f-e13c1e736838 related: - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key type: similar status: experimental description: | - Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. + Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. references: From 7eea8d020d76930bbbdca42183d63fd7ffa36b09 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Wed, 1 Oct 2025 16:26:19 +0545 Subject: [PATCH 08/11] Apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...tion_win_event_logging_disable_via_key_minint.yml | 12 +++++++----- .../registry_set/registry_set_create_minint_key.yml | 1 - 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml index f229f3237f0..73524d7b5a8 100644 --- a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -26,7 +26,7 @@ detection: - OriginalFileName: 'reg.exe' selection_reg_cmd: CommandLine|contains|all: - - 'add' + - ' add ' - '\SYSTEM\CurrentControlSet\Control\MiniNt' selection_powershell_img: - Image|endswith: @@ -36,10 +36,12 @@ detection: - OriginalFileName: - 'PowerShell.EXE' - 'pwsh.dll' - selection_powershell_cmd: - CommandLine|contains|all: - - 'New-Item' - - '\SYSTEM\CurrentControlSet\Control\MiniNt' + selection_powershell_cmd1: + CommandLine|contains: + - 'New-Item ' + - 'ni ' + selection_powershell_cmd2: + CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt' condition: all of selection_reg_* or all of selection_powershell_* falsepositives: - Highly Unlikely diff --git a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml index 88a4e3a0d38..989a6649255 100644 --- a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml +++ b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml @@ -23,7 +23,6 @@ logsource: detection: selection: TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)' - EventType: 'SetValue' Details: '(Empty)' condition: selection falsepositives: From 1ae6247e8a75e3c3772d6841009609f2682b01bb Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Wed, 1 Oct 2025 17:18:49 +0545 Subject: [PATCH 09/11] Update rules/windows/registry/registry_set/registry_set_create_minint_key.yml Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../registry/registry_set/registry_set_create_minint_key.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml index 989a6649255..724be0f103f 100644 --- a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml +++ b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml @@ -23,7 +23,6 @@ logsource: detection: selection: TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)' - Details: '(Empty)' condition: selection falsepositives: - Highly Unlikely From 3a341f8cc59cac6544a2e8d60a77a2e5f7946f44 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 1 Oct 2025 13:54:29 +0200 Subject: [PATCH 10/11] fix: wording Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- ...nt_disable_security_events_logging_adding_reg_key_minint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index 1323dbf50e3..20247e3386d 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -1,7 +1,7 @@ title: Disable Security Events Logging Adding Reg Key MiniNt id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044 status: test -description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. +description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events. references: - https://twitter.com/0gtweet/status/1182516740955226112 - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ From 9c287b16a30dc4952475c406cc22469ac1b3c49a Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 1 Oct 2025 13:55:12 +0200 Subject: [PATCH 11/11] fix: update tags Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../proc_creation_win_event_logging_disable_via_key_minint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml index 73524d7b5a8..de68050b9db 100644 --- a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -15,6 +15,7 @@ date: 2025-04-09 tags: - attack.defense-evasion - attack.t1562.002 + - attack.t1112 - car.2022-03-001 logsource: category: process_creation