Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
Sigma rule (View on GitHub)
1title: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
2id: db809f10-56ce-4420-8c86-d6a7d793c79c
3status: test
4description: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
5references:
6 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
7author: Teymur Kheirkhabarov, oscd.community
8date: 2019-10-22
9modified: 2023-11-28
10tags:
11 - attack.defense-evasion
12 - attack.t1006
13logsource:
14 product: windows
15 category: raw_access_thread
16detection:
17 filter_main_floppy:
18 Device|contains: floppy
19 filter_main_generic:
20 Image|contains:
21 - ':\$WINDOWS.~BT\'
22 - ':\Program Files (x86)\'
23 - ':\Program Files\'
24 - ':\Windows\CCM\'
25 - ':\Windows\explorer.exe'
26 - ':\Windows\servicing\'
27 - ':\Windows\SoftwareDistribution\'
28 - ':\Windows\System32\'
29 - ':\Windows\SystemApps\'
30 - ':\Windows\uus\'
31 - ':\Windows\WinSxS\'
32 filter_main_system_images:
33 Image:
34 - 'Registry'
35 - 'System'
36 filter_main_windefender:
37 Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
38 Image|endswith: '\MsMpEng.exe'
39 filter_main_microsoft_appdata:
40 Image|contains|all:
41 - ':\Users\'
42 - '\AppData\'
43 - '\Microsoft\'
44 filter_main_ssd_nvme:
45 Image|contains: ':\Windows\Temp\'
46 Image|endswith:
47 - '\Executables\SSDUpdate.exe'
48 - '\HostMetadata\NVMEHostmetadata.exe'
49 filter_main_null:
50 Image: null
51 filter_main_systemsettings:
52 Image|endswith: ':\Windows\ImmersiveControlPanel\SystemSettings.exe'
53 filter_optional_github_desktop:
54 Image|contains: '\AppData\Local\GitHubDesktop\app-'
55 Image|endswith: '\resources\app\git\mingw64\bin\git.exe'
56 filter_optional_nextron:
57 Image|contains: ':\Windows\Temp\asgard2-agent\'
58 Image|endswith: '\thor.exe'
59 filter_optional_Keybase:
60 Image|contains: '\AppData\Local\Keybase\upd.exe'
61 condition: not 1 of filter_main_* and not 1 of filter_optional_*
62falsepositives:
63 - Likely
64level: low
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity