Enabling Dev Drive With Disabled AV

calendar Aug 10, 2024 · attack.defense.evasion attack.T1562.001  ·
Share on: linkedin copy

Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.

Sigma rule (View on GitHub)

 1title: Enabling Dev Drive With Disabled AV
 2id: 53394955-c956-4e36-8fa6-24c8d8b3dbaf
 3description: Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.
 4status: experimental
 5date: 2023/11/05
 6author: \@kostastsale
 7references:
 8    - https://twitter.com/0gtweet/status/1720419490519752955
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection1:
14        Image|endswith:
15            - '\fsutil.exe'
16        CommandLine|contains|all:
17            - ' devdrv'
18            - ' enable'
19            - ' /disallowAv'
20    condition: selection1
21falsepositives:
22    - Unlikely
23level: high
24tags:
25    - attack.defense.evasion
26    - attack.T1562.001

References

Related rules

to-top