
Summary
This analytic detection rule identifies raw access reads to disk partitions on a Windows host machine using Sysmon EventCode 9 logs. The objective is to flag suspicious activities where processes attempt to read or write to the boot sector, which is typically protected from such access. The detection excludes legitimate system processes like those from Windows System32 and SysWOW64 directories to reduce false positives. This rule is particularly relevant in the context of malicious activities such as data destruction or system inoperability often associated with malware like HermeticWiper. Such operations can have severe impacts, emphasizing the need for monitoring these abnormal access patterns.
Categories
- Endpoint
- Windows
Data Sources
- Process
- File
- Logon Session
ATT&CK Techniques
- T1561.002
- T1561
Created: 2024-11-13