Disabled AV On Dev Drive via Registry

Aug 10, 2024 · attack.defense.evasion attack.T1562.001 ·

Detects the execution registry change that enables a Dev Drive without allowing AV to access the created drive. This technique is available starting with Windows 11.

Sigma rule (View on GitHub)

 1title: Disabled AV On Dev Drive via Registry
 2id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
 3description: Detects the execution registry change that enables a Dev Drive without allowing AV to access the created drive. This technique is available starting with Windows 11.
 4status: experimental
 5date: 2023/11/05
 6author: \@kostastsale
 7references:
 8    - https://twitter.com/0gtweet/status/1720419490519752955
 9logsource:
10    category: registry_set
11    product: windows
12detection:
13    selection1:
14        TargetObject|contains: 
15          - '\SYSTEM\CurrentControlSet\'
16        TargetObject|endswith:
17          - 'FltmgrDevDriveAllowAntivirusFilter'
18        Details|endswith: '0'
19    condition: selection1
20falsepositives:
21    - Unlikely
22level: high
23tags:
24    - attack.defense.evasion
25    - attack.T1562.001

References

x.com

Read More

Disabled AV On Dev Drive via Registry

Sigma rule (View on GitHub)

References

x.com

Related rules