Suspicious IO.FileStream

Aug 12, 2024 · attack.defense-evasion attack.t1070.003 ·

Open a handle on the drive volume via the \.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.

Sigma rule (View on GitHub)

 1title: Suspicious IO.FileStream
 2id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
 3status: test
 4description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
 7author: frack113
 8date: 2022-01-09
 9modified: 2022-03-05
10tags:
11    - attack.defense-evasion
12    - attack.t1070.003
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - New-Object
21            - IO.FileStream
22            - '\\\\.\\'
23    condition: selection
24falsepositives:
25    - Legitimate PowerShell scripts
26level: medium

References

atomic-red-team/atomics/T1006/T1006.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Suspicious IO.FileStream

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1006/T1006.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules