T1562.002 Impair Defenses Disable WindowsLoggingMiniNT

T1562.002 - Impair Defenses: Disable Windows Logging¶

DESCRIPTION¶

Detects the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer. Upon a reboot, Windows Event Log service will stopped write events.

Example:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"

Related

N/A

Reference:

https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml
https://twitter.com/0gtweet/status/1182516740955226112

ATT&CK TACTICS¶

T1562.002 - Impair Defenses: Disable Windows Event Logging

Data Source(s): Windows Registry

SENTINEL RULE QUERY¶

1 2	`DeviceRegistryEvents \| where RegistryKey endswith @"\Control\MiniNt"`

Triage¶

Inspect if the activity is expected and approved.

VERSION¶

Version 1.0 (date: 10/07/2023)