Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
Sigma rule (View on GitHub)
1title: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
2id: db809f10-56ce-4420-8c86-d6a7d793c79c
3status: test
4description: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
5references:
6 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
7author: Teymur Kheirkhabarov, oscd.community
8date: 2019/10/22
9modified: 2023/11/28
10tags:
11 - attack.defense_evasion
12 - attack.t1006
13logsource:
14 product: windows
15 category: raw_access_thread
16detection:
17 filter_main_floppy:
18 Device|contains: floppy
19 filter_main_generic:
20 Image|contains:
21 - ':\$WINDOWS.~BT\'
22 - ':\Program Files (x86)\'
23 - ':\Program Files\'
24 - ':\Windows\CCM\'
25 - ':\Windows\explorer.exe'
26 - ':\Windows\servicing\'
27 - ':\Windows\SoftwareDistribution\'
28 - ':\Windows\System32\'
29 - ':\Windows\SystemApps\'
30 - ':\Windows\uus\'
31 - ':\Windows\WinSxS\'
32 filter_main_system_images:
33 Image:
34 - 'Registry'
35 - 'System'
36 filter_main_windefender:
37 Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
38 Image|endswith: '\MsMpEng.exe'
39 filter_main_microsoft_appdata:
40 Image|contains|all:
41 - ':\Users\'
42 - '\AppData\'
43 - '\Microsoft\'
44 filter_main_ssd_nvme:
45 Image|contains: ':\Windows\Temp\'
46 Image|endswith:
47 - '\Executables\SSDUpdate.exe'
48 - '\HostMetadata\NVMEHostmetadata.exe'
49 filter_main_null:
50 Image: null
51 filter_main_systemsettings:
52 Image|endswith: ':\Windows\ImmersiveControlPanel\SystemSettings.exe'
53 filter_optional_github_desktop:
54 Image|contains: '\AppData\Local\GitHubDesktop\app-'
55 Image|endswith: '\resources\app\git\mingw64\bin\git.exe'
56 filter_optional_nextron:
57 Image|contains: ':\Windows\Temp\asgard2-agent\'
58 Image|endswith: '\thor.exe'
59 filter_optional_Keybase:
60 Image|contains: '\AppData\Local\Keybase\upd.exe'
61 condition: not 1 of filter_main_* and not 1 of filter_optional_*
62falsepositives:
63 - Likely
64level: low
References
Related rules
- CMSTP Execution Process Access
- Function Call From Undocumented COM Interface EditionUpgradeManager
- HackTool - CobaltStrike BOF Injection Pattern
- HackTool - HandleKatz Duplicating LSASS Handle
- HackTool - SysmonEnte Execution