LoFP LoFP / highly unlikely

Techniques

Sample rules

Security Event Logging Disabled via MiniNt Registry Key - Process

Description

Detects attempts to disable security event logging by adding the MiniNt registry key. This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.

Detection logic

condition: all of selection_reg_* or all of selection_powershell_*
selection_powershell_cmd1:
  CommandLine|contains:
  - 'New-Item '
  - 'ni '
selection_powershell_cmd2:
  CommandLine|contains: \SYSTEM\CurrentControlSet\Control\MiniNt
selection_powershell_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \powershell_ise.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
selection_reg_cmd:
  CommandLine|contains|all:
  - ' add '
  - \SYSTEM\CurrentControlSet\Control\MiniNt
selection_reg_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe

PowerShell Defender Threat Severity Default Action Set to ‘Allow’ or ‘NoAction’

Description

Detects the use of PowerShell to execute the ‘Set-MpPreference’ cmdlet to configure Windows Defender’s threat severity default action to ‘Allow’ (value ‘6’) or ‘NoAction’ (value ‘9’). This is a highly suspicious configuration change that effectively disables Defender’s ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.

Detection logic

condition: all of selection_*
selection_action:
  CommandLine|contains:
  - -LowThreatDefaultAction
  - -ModerateThreatDefaultAction
  - -HighThreatDefaultAction
  - -SevereThreatDefaultAction
  - '-ltdefac '
  - '-mtdefac '
  - '-htdefac '
  - '-stdefac '
selection_cmdlet:
  CommandLine|contains: Set-MpPreference
selection_value:
  CommandLine|contains:
  - Allow
  - '6'
  - NoAction
  - '9'

Disabling Windows Defender WMI Autologger Session via Reg.exe

Description

Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the ‘Start’ value to ‘0’ for the ‘DefenderApiLogger’ or ‘DefenderAuditLogger’ session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.

Detection logic

condition: all of selection_* and not 1 of filter_main_*
filter_main_enable:
  CommandLine|contains: '0x00000001'
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_reg_add:
  CommandLine|contains|all:
  - add
  - '0'
selection_reg_path:
  CommandLine|contains:
  - \Control\WMI\Autologger\DefenderApiLogger\Start
  - \Control\WMI\Autologger\DefenderAuditLogger\Start

Security Event Logging Disabled via MiniNt Registry Key - Registry Set

Description

Detects the addition of the ‘MiniNt’ key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.

Detection logic

condition: selection
selection:
  TargetObject: HKLM\System\CurrentControlSet\Control\MiniNt\(Default)