Disabled AV On Dev Drive via Registry
Detects the execution registry change that enables a Dev Drive without allowing AV to access the created drive. This technique is available starting with Windows 11.
Sigma rule (View on GitHub)
1title: Disabled AV On Dev Drive via Registry
2description: Detects the execution registry change that enables a Dev Drive without allowing AV to access the created drive. This technique is available starting with Windows 11.
3status: experimental
4date: 2023/11/05
5author: \@kostastsale
6references:
7 - https://twitter.com/0gtweet/status/1720419490519752955
8logsource:
9 category: registry_set
10 product: windows
11detection:
12 selection1:
13 TargetObject|contains:
14 - '\SYSTEM\CurrentControlSet\'
15 TargetObject|endswith:
16 - 'FltmgrDevDriveAllowAntivirusFilter'
17 Details|endswith: '0'
18 condition: selection1
19falsepositives:
20 - Unlikely
21level: high
22tags:
23 - attack.defense.evasion
24 - attack.T1562.001