Dev Drive Attach Policy Registry Key Deleted

Rule Info

Name
Dev Drive Attach Policy Registry Key Deleted
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the deletion of a registry value related to "Dev Drive" filter drivers attach policy. An attacker might delete this in order to avoid security monitoring in dev drives.
Reference
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-devdrv
Date
2024-01-25 00:00:00
Modified
None
Id
2ec0d73b-6a62-4570-840d-3996cca3cef5
Tags
attack.defense_evasion attack.t1562.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022