Disabling of an Input Device

Rule Info

Name
Disabling of an Input Device
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the disabling of critical input devices such as keyboard and mouse, which may indicate malicious activity aimed at preventing user interaction with the system. Threat actors may disable input devices during attacks to maintain persistence and prevent users from interrupting malicious operations or accessing security tools. This technique is often observed in ransomware attacks and data exfiltration scenarios where attackers seek to minimize user interference. To verify if the disabling was legitimate or part of an attack, further investigation into the context and source of the action is recommended
Reference
https://securelist.ru/sovmestnye-ataki-4bid-bo-team-red-likho/114124/
Date
2026-03-22 00:00:00
Modified
None
Id
f7995cdf-9d41-43a8-8bd5-da438cdc6404
Tags
attack.defense-evasion attack.t1562.001 attack.impact
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022