Disable Security Events Logging Adding Reg Key MiniNt

About the rule

Rule Type

Standard

Rule Description

Detects the creation of the 'MiniNt' registry key. When this key exists in the Control registry hive, it can trick certain Windows components into thinking the system is running in a WinPE environment, which can result in the disabling of the Windows Event Viewer and security logging.

Why this rule?

This technique disables Windows security event logging by tricking the system into "safe mode" logging behavior, blinding security monitoring. Attackers use this to eliminate audit trails and operate without generating alerts. Detecting this registry modification is critical as it indicates an active attempt to evade detection.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Privilege Escalation → Defense Evasion → Create Registry Key (MiniNt) → Disable Event Logging → Malicious activity without log footprint.

Impact

Forensic evidence manipulation and complete loss of audit trails, making it impossible to reconstruct the attacker's actions via standard security logs.

Rule Requirement

Prerequisites

Enable Registry auditing for the path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Modify Registry (T1112), Defense Evasion: Impair Defenses - Disable Windows Event Logging (T1562.002)

Author

@Ilyas Ochkov, oscd.community

Future actions

Known False Positives

Developers or administrators testing Windows PE (Pre installation Environment) related tools or specific driver installation packages.

Next Steps

1. Identification: Check for the existence of the MiniNt key in the Control registry hive.
2. Analysis: Determine if the system was recently booted from a recovery or installation media.
3. Response: Delete the key and reboot the system to restore normal security auditing functions.

Mitigation