Potential Defense Evasion Via Raw Disk Access By Uncommon Tools

calendar Dec 4, 2023 · attack.defense_evasion attack.t1006  ·
Share on: linkedin copy

Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts

Sigma rule (View on GitHub)

 1title: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
 2id: db809f10-56ce-4420-8c86-d6a7d793c79c
 3status: test
 4description: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
 5references:
 6    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 7author: Teymur Kheirkhabarov, oscd.community
 8date: 2019/10/22
 9modified: 2023/11/28
10tags:
11    - attack.defense_evasion
12    - attack.t1006
13logsource:
14    product: windows
15    category: raw_access_thread
16detection:
17    filter_main_floppy:
18        Device|contains: floppy
19    filter_main_generic:
20        Image|contains:
21            - ':\$WINDOWS.~BT\'
22            - ':\Program Files (x86)\'
23            - ':\Program Files\'
24            - ':\Windows\CCM\'
25            - ':\Windows\explorer.exe'
26            - ':\Windows\servicing\'
27            - ':\Windows\SoftwareDistribution\'
28            - ':\Windows\System32\'
29            - ':\Windows\SystemApps\'
30            - ':\Windows\uus\'
31            - ':\Windows\WinSxS\'
32    filter_main_system_images:
33        Image:
34            - 'Registry'
35            - 'System'
36    filter_main_windefender:
37        Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
38        Image|endswith: '\MsMpEng.exe'
39    filter_main_microsoft_appdata:
40        Image|contains|all:
41            - ':\Users\'
42            - '\AppData\'
43            - '\Microsoft\'
44    filter_main_ssd_nvme:
45        Image|contains: ':\Windows\Temp\'
46        Image|endswith:
47            - '\Executables\SSDUpdate.exe'
48            - '\HostMetadata\NVMEHostmetadata.exe'
49    filter_main_null:
50        Image: null
51    filter_main_systemsettings:
52        Image|endswith: ':\Windows\ImmersiveControlPanel\SystemSettings.exe'
53    filter_optional_github_desktop:
54        Image|contains: '\AppData\Local\GitHubDesktop\app-'
55        Image|endswith: '\resources\app\git\mingw64\bin\git.exe'
56    filter_optional_nextron:
57        Image|contains: ':\Windows\Temp\asgard2-agent\'
58        Image|endswith: '\thor.exe'
59    filter_optional_Keybase:
60        Image|contains: '\AppData\Local\Keybase\upd.exe'
61    condition: not 1 of filter_main_* and not 1 of filter_optional_*
62falsepositives:
63    - Likely
64level: low

References

Related rules

to-top