This detection rule monitors suspicious raw access to the Master Boot Record (MBR) of a Windows system. Using Sysmon EventCode 9, it identifies processes attempting to read or write to the MBR sector, while excluding known legitimate processes located in the Windows system directories. This detection is crucial because threat actors often target the MBR to execute destructive payloads such as wiping or encrypting data, which can result in severe operational impacts including system instability and data loss. Therefore, monitoring for unauthorized access to the MBR is essential for maintaining system integrity.