Antivirus Filter Driver Disallowed On Dev Drive

Rule Info

Name
Antivirus Filter Driver Disallowed On Dev Drive
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
Reference
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-devdrv
Date
2024-01-24 00:00:00
Modified
None
Id
67ea5994-cc44-4421-bab0-6720e58b508c
Tags
attack.execution attack.defense_evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022