Detects the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer. Upon a reboot, Windows Event Log service will stopped write events.
Example:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
Related
N/A
Reference:
https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml
https://twitter.com/0gtweet/status/1182516740955226112
{{ mitre("T1562.002")}}
Data Source(s): Windows Registry
DeviceRegistryEvents
| where RegistryKey endswith @"\Control\MiniNt"
- Inspect if the activity is expected and approved.
Version 1.0 (date: 10/07/2023)