Enabling Dev Drive With Disabled AV

Nov 29, 2023 · attack.defense.evasion attack.T1562.001 ·

Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.

Sigma rule (View on GitHub)

 1title: Enabling Dev Drive With Disabled AV
 2description: Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.
 3status: experimental
 4date: 2023/11/05
 5author: \@kostastsale
 6references:
 7    - https://twitter.com/0gtweet/status/1720419490519752955
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection1:
13        Image|endswith:
14            - '\fsutil.exe'
15        CommandLine|contains|all:
16            - ' devdrv'
17            - ' enable'
18            - ' /disallowAv'
19    condition: selection1
20falsepositives:
21    - Unlikely
22level: high
23tags:
24    - attack.defense.evasion
25    - attack.T1562.001

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More

Enabling Dev Drive With Disabled AV

Sigma rule (View on GitHub)

References

Related rules