Another day in the Advanced Hunting feature.
I was told about a twitter post which explained it’s possible to block Security events from being created.
If the following key is added:
HKLM\System\CurrentControlSet\Control\MiniNt
Since it’s registry we have a lot of data to query in the Defender ATP portal (https://securitycenter.windows.com)
The Hunting query will be as follows
// Mattias Borg
// @mattiasborg82
RegistryEvents
| where (RegistryKey == "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") or
(RegistryKey == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MiniNt")
| sort by EventTime desc
| project EventTime, ComputerName, RegistryKey, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessSHA1
This is the initial hunting query and might be changed to avoid False-Positives if there are any.
To be able to create a custom detection rule we need to add “MachineId” and “ReportId” to the output.
// Mattias Borg
// @mattiasborg82
RegistryEvents
| where (RegistryKey == "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") or
(RegistryKey == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MiniNt")
| sort by EventTime desc
| project EventTime, ComputerName, RegistryKey, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessSHA1, MachineId, ReportId
Click on “Create a detection rule”
Fill in the form and select your preferred actions
Happy Hunting!