Enabling Dev Drive With Disabled AV
Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.
Sigma rule (View on GitHub)
1title: Enabling Dev Drive With Disabled AV
2description: Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.
3status: experimental
4date: 2023/11/05
5author: \@kostastsale
6references:
7 - https://twitter.com/0gtweet/status/1720419490519752955
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 Image|endswith:
14 - '\fsutil.exe'
15 CommandLine|contains|all:
16 - ' devdrv'
17 - ' enable'
18 - ' /disallowAv'
19 condition: selection1
20falsepositives:
21 - Unlikely
22level: high
23tags:
24 - attack.defense.evasion
25 - attack.T1562.001