Disabled AV On Dev Drive via Registry

Nov 5, 2023 · attack.defense.evasion attack.T1562.001 ·

Detects the execution registry change that enables a Dev Drive without allowing AV to access the created drive. This technique is available starting with Windows 11.

Sigma rule (View on GitHub)

 1title: Disabled AV On Dev Drive via Registry
 2description: Detects the execution registry change that enables a Dev Drive without allowing AV to access the created drive. This technique is available starting with Windows 11.
 3status: experimental
 4date: 2023/11/05
 5author: \@kostastsale
 6references:
 7    - https://twitter.com/0gtweet/status/1720419490519752955
 8logsource:
 9    category: registry_set
10    product: windows
11detection:
12    selection1:
13        TargetObject|contains: 
14          - '\SYSTEM\CurrentControlSet\'
15        TargetObject|endswith:
16          - 'FltmgrDevDriveAllowAntivirusFilter'
17        Details|endswith: '0'
18    condition: selection1
19falsepositives:
20    - Unlikely
21level: high
22tags:
23    - attack.defense.evasion
24    - attack.T1562.001

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More

Related rules

Disabling Python warnings for executing untrusted code