The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.
In this Security Spotlight, we’ll be talking about a technique attackers use to disable your Windows logging and increase their dwell time (MITRE ATT&CK® Technique T1562).
What is Windows Event Logging?
Windows Event Logging, specifically Security Logging, is the cornerstone of most organizations’ log monitoring strategy. In real-world deployments, LogRhythm typically observes that Windows Security logging consumes from 30% to 50% of an organization’s total logging capacity. Naturally, this has made it a prime target for nullification, a tactic commonly employed by attackers to mitigate the effectiveness of Security Information and Event Management (SIEM) installations.
One method to achieve this involves adding a registry key named “MiniNt” to a specific path in the registry. Once added, this key triggers the Windows system to behave as if it is operating in a Windows Preinstallation Environment. In this state, the system does not record any events in the Security Log, effectively disabling the generation of security event logs.
What Happens When Attackers Disable Windows Logging?
The widespread adoption of SIEM, which was driven primarily by initiatives like GDPR, has led adversaries to enter environments knowing that they must devise strategies to counter the expected SIEM installation. Hence, adversaries may strategically seek to disable Windows event logging to minimize traceable data that could cause their detection and subsequent audit. This deactivation can be applied system-wide or directed at specific applications.
These maneuvers empower adversaries to operate covertly, leaving minimal evidence of their intrusive activities. To counter, defenders must vigilantly monitor such potential activities and implement robust security measures to thwart any unauthorized alterations to event logging.
While diligent threat actors have likely employed this strategy for years, it has become an increasingly popular part of attacks because attackers expect their victim’s SIEM to expose them if logging is not disabled.
This dynamic reflects the never-ending arms race between defenders and attackers. In response to the push to standardize logging as a fundamental cybersecurity practice, attackers have adapted to evade routine monitoring.
How Can LogRhythm Help You?
Similar to other log monitoring rules in a SIEM, the challenge often lies not in creating the rule itself but in understanding the problem and mapping out potential detection routes. In this instance, the Analytic Co-Pilot team has developed a rule for both LogRhythm SIEM and LogRhythm Axon that looks for a specific command that must be used to update the registry with the “MiniNT” suffix.
In addition, the alert triggers when someone runs the command required to check for the presence of the suffix. This dual functionality makes the rule effective both in detecting attacks and detecting attackers who may be doing recognizance.
For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.
For other Security Spotlight episodes, you can access the full playlist here.