Write Protect For Storage Disabled
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
Sigma rule (View on GitHub)
1title: Write Protect For Storage Disabled
2id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
3status: test
4description: |
5 Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
6 This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
7references:
8 - https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
9author: Sreeman
10date: 2021/06/11
11modified: 2024/01/18
12tags:
13 - attack.defense_evasion
14 - attack.t1562
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection:
20 CommandLine|contains|all:
21 - '\System\CurrentControlSet\Control'
22 - 'Write Protection'
23 - '0'
24 - 'storage'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
-
This error occurs when a hard disk is connected to a computer which is write protected or the hard disk is in read only mode. This error can also occur due to virus, hardware damage and registry issues.
Read More
Related rules
- Sysmon Application Crashed
- Windows Defender Exclusions Added - PowerShell
- Windows Firewall Disabled via PowerShell
- Windows Filtering Platform Blocked Connection From EDR Agent Binary
- HackTool - EDRSilencer Execution