Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
Sigma rule (View on GitHub)
1title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
2id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
3status: experimental
4description: |
5 Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
6references:
7 - https://twitter.com/0gtweet/status/1720419490519752955
8author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)'
9date: 2023-11-05
10modified: 2024-08-16
11tags:
12 - attack.defense-evasion
13 - attack.t1562.001
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\FilterManager\FltmgrDevDriveAllowAntivirusFilter'
20 Details: 'DWORD (0x00000000)'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
Related rules
- Potential AMSI Bypass Via .NET Reflection
- Python Function Execution Security Warning Disabled In Excel - Registry
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder