Antivirus Filter Driver Disallowed On Dev Drive - Deleted Key

Rule Info

Name
Antivirus Filter Driver Disallowed On Dev Drive - Deleted Key
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the deletion of a registry value related to "Dev Drive" Antivirus monitoring. An attacker might delete this in order to avoid security monitoring in dev drives.
Reference
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-devdrv
Date
2024-01-25 00:00:00
Modified
None
Id
1cf16869-e5aa-48a4-80c9-59f02a95ef34
Tags
attack.defense_evasion attack.t1562.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022