Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
Sigma rule (View on GitHub)
1title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
2id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
3status: test
4description: |
5 Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
6references:
7 - https://twitter.com/0gtweet/status/1720419490519752955
8author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)'
9date: 2023-11-05
10modified: 2024-08-16
11tags:
12 - attack.defense-evasion
13 - attack.t1562.001
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\FilterManager\FltmgrDevDriveAllowAntivirusFilter'
20 Details: 'DWORD (0x00000000)'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- ESXi Syslog Configuration Change Via ESXCLI
- Hypervisor Enforced Paging Translation Disabled
- Obfuscated PowerShell OneLiner Execution
- Sysmon Driver Altitude Change
- Windows Defender Service Disabled - Registry