Suspicious IO.FileStream

Open a handle on the drive volume via the \.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.

Sigma rule (View on GitHub)

 1title: Suspicious IO.FileStream
 2id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
 3status: test
 4description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
 7author: frack113
 8date: 2022/01/09
 9modified: 2022/03/05
10tags:
11    - attack.defense_evasion
12    - attack.t1070.003
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - New-Object
21            - IO.FileStream
22            - '\\\\.\\'
23    condition: selection
24falsepositives:
25    - Legitimate PowerShell scripts
26level: medium

References

Related rules

to-top