-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
feat: Security Event Logging Disabled Via MiniNt Registry Key #5257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
phantinuss
merged 11 commits into
SigmaHQ:master
from
swachchhanda000:disable_event_logging
Oct 1, 2025
Merged
Changes from all commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
c04599e
feat: Security Event Logging Disabled Via MiniNt Registry Key
swachchhanda000 068bff7
fix: linting issues
swachchhanda000 1be9fbb
fix: condition typo
swachchhanda000 56a086f
fix: condition typo
swachchhanda000 053a75f
fix: logsource
swachchhanda000 d381f79
fix: nonewline at the end error
swachchhanda000 323033b
fix: wording
phantinuss 7eea8d0
Apply suggestions from code review
swachchhanda000 1ae6247
Update rules/windows/registry/registry_set/registry_set_create_minint…
swachchhanda000 3a341f8
fix: wording
phantinuss 9c287b1
fix: update tags
phantinuss File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
49 changes: 49 additions & 0 deletions
49
rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| title: Security Event Logging Disabled via MiniNt Registry Key - Process | ||
| id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 | ||
| related: | ||
| - id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set | ||
| type: similar | ||
| status: experimental | ||
| description: | | ||
| Detects attempts to disable security event logging by adding the `MiniNt` registry key. | ||
| This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. | ||
| Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities. | ||
| references: | ||
| - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ | ||
| author: Swachchhanda Shrawan Poudel (Nextron Systems) | ||
| date: 2025-04-09 | ||
| tags: | ||
| - attack.defense-evasion | ||
| - attack.t1562.002 | ||
| - attack.t1112 | ||
| - car.2022-03-001 | ||
| logsource: | ||
| category: process_creation | ||
| product: windows | ||
| detection: | ||
| selection_reg_img: | ||
| # Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt" | ||
| - Image|endswith: '\reg.exe' | ||
| - OriginalFileName: 'reg.exe' | ||
| selection_reg_cmd: | ||
| CommandLine|contains|all: | ||
| - ' add ' | ||
| - '\SYSTEM\CurrentControlSet\Control\MiniNt' | ||
| selection_powershell_img: | ||
| - Image|endswith: | ||
| - '\powershell.exe' | ||
| - '\pwsh.exe' | ||
| - '\powershell_ise.exe' | ||
| - OriginalFileName: | ||
| - 'PowerShell.EXE' | ||
| - 'pwsh.dll' | ||
| selection_powershell_cmd1: | ||
| CommandLine|contains: | ||
| - 'New-Item ' | ||
| - 'ni ' | ||
| selection_powershell_cmd2: | ||
| CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt' | ||
| condition: all of selection_reg_* or all of selection_powershell_* | ||
| falsepositives: | ||
| - Highly Unlikely | ||
| level: high | ||
6 changes: 4 additions & 2 deletions
6
...y/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
rules/windows/registry/registry_set/registry_set_create_minint_key.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set | ||
| id: 8839e550-52d7-4958-9f2f-e13c1e736838 | ||
| related: | ||
| - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key | ||
| type: similar | ||
| status: experimental | ||
| description: | | ||
| Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. | ||
| Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. | ||
| Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. | ||
| references: | ||
| - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ | ||
| author: Swachchhanda Shrawan Poudel (Nextron Systems) | ||
| date: 2025-04-09 | ||
| tags: | ||
| - attack.defense-evasion | ||
| - attack.t1562.002 | ||
| - attack.t1112 | ||
| - car.2022-03-001 | ||
| logsource: | ||
| category: registry_set | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)' | ||
| condition: selection | ||
| falsepositives: | ||
| - Highly Unlikely | ||
| level: high |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.