The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.
In this Security Spotlight, we’ll be talking about a technique attackers use to disable your Windows logging and increase their dwell time (MITRE ATT&CK® Technique T1562).
What is Windows Event Logging?
Windows Event Logging, specifically Security Logging, is the cornerstone of most organizations’ log monitoring strategy. In real-world deployments, LogRhythm typically observes that Windows Security logging consumes from 30% to 50% of an organization’s total logging capacity. Naturally, this has made it a prime target for nullification, a tactic commonly employed by attackers to mitigate the effectiveness of Security Information and Event Management (SIEM) installations.
One method to achieve this involves adding a registry key named “MiniNt” to a specific path in the registry. Once added, this key triggers the Windows system to behave as if it is operating in a Windows Preinstallation Environment. In this state, the system does not record any events in the Security Log, effectively disabling the generation of security event logs...Read More!
