Potential Defense Evasion Via Raw Disk Access By Uncommon Tools

calendar Dec 9, 2025 · attack.defense-evasion attack.t1006  ·
Share on: linkedin copy

Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts

Sigma rule (View on GitHub)

 1title: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
 2id: db809f10-56ce-4420-8c86-d6a7d793c79c
 3status: test
 4description: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
 5references:
 6    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 7author: Teymur Kheirkhabarov, oscd.community
 8date: 2019-10-22
 9modified: 2025-12-03
10tags:
11    - attack.defense-evasion
12    - attack.t1006
13logsource:
14    product: windows
15    category: raw_access_thread
16detection:
17    filter_main_floppy:
18        Device|contains: floppy
19    filter_main_generic:
20        Image|startswith:
21            - 'C:\$WINDOWS.~BT\'
22            - 'C:\Program Files (x86)\'
23            - 'C:\Program Files\'
24            - 'C:\Windows\CCM\'
25            - 'C:\Windows\explorer.exe'
26            - 'C:\Windows\servicing\'
27            - 'C:\Windows\SoftwareDistribution\'
28            - 'C:\Windows\System32\'
29            - 'C:\Windows\SystemApps\'
30            - 'C:\Windows\SysWOW64\'
31            - 'C:\Windows\uus\'
32            - 'C:\Windows\WinSxS\'
33    filter_main_system_images:
34        Image:
35            - 'Registry'
36            - 'System'
37    filter_main_windefender:
38        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
39        Image|endswith:
40            - '\MsMpEng.exe'
41            - '\MpDefenderCoreService.exe'
42    filter_main_microsoft_appdata:
43        Image|startswith: 'C:\Users\'
44        Image|contains|all:
45            - '\AppData\'
46            - '\Microsoft\'
47    filter_main_ssd_nvme:
48        Image|startswith: 'C:\Windows\Temp\'
49        Image|endswith:
50            - '\Executables\SSDUpdate.exe'
51            - '\HostMetadata\NVMEHostmetadata.exe'
52    filter_main_null:
53        Image: null
54    filter_main_systemsettings:
55        Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
56    filter_main_update:
57        Image|startswith: 'C:\$WinREAgent\Scratch\'
58    filter_optional_github_desktop:
59        Image|startswith: 'C:\Users\'
60        Image|contains: '\AppData\Local\GitHubDesktop\app-'
61        Image|endswith: '\resources\app\git\mingw64\bin\git.exe'
62    filter_optional_nextron:
63        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
64        Image|endswith: '\thor.exe'
65    filter_optional_Keybase:
66        Image|startswith: 'C:\Users\'
67        Image|contains: '\AppData\Local\Keybase\upd.exe'
68    condition: not 1 of filter_main_* and not 1 of filter_optional_*
69falsepositives:
70    - Likely
71level: low

References

  • Hunting for Credentials Dumping in Windows Environment

    The document discusses credential dumping techniques in Windows environments, highlighting methods used by various threat actor groups to extract sensitive information from systems, including tools like Mimikatz and WCE. It emphasizes the importance of detecting such activities through system logs (Sysmon and Windows Event Logs) and outlines potential data sources such as LSASS memory, SAM registry hives, and other offline methods. Additionally, it touches on the use of native Windows features for monitoring and auditing access to sensitive data, providing practical guidance for detecting credential extraction attempts. - Download as a PDF, PPTX or view online for free


    Read More

Related rules

to-top