Write Protect For Storage Disabled
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
Sigma rule (View on GitHub)
1title: Write Protect For Storage Disabled
2id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
3status: test
4description: |
5 Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
6 This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
7references:
8 - https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
9author: Sreeman
10date: 2021-06-11
11modified: 2024-01-18
12tags:
13 - attack.defense-evasion
14 - attack.t1562
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection:
20 CommandLine|contains|all:
21 - '\System\CurrentControlSet\Control'
22 - 'Write Protection'
23 - '0'
24 - 'storage'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- AWS SecurityHub Findings Evasion
- Azure Kubernetes Events Deleted
- ETW Logging Disabled For SCM
- ETW Logging Disabled For rpcrt4.dll
- ETW Logging Disabled In .NET Processes - Registry