LoFP / this event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. in this case we used 'system32' and 'syswow64' path as a filter for this detection.

Techniques

• T1561
• T1561.002

Sample rules

Windows Raw Access To Disk Volume Partition

• source: splunk
• technicques:
  • T1561.002
  • T1561

Description

The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity.

Detection logic

`sysmon` EventCode=9 Device = \\Device\\HarddiskVolume* NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_guid process_name process_path Device 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_raw_access_to_disk_volume_partition_filter`

Windows Raw Access To Master Boot Record Drive

• source: splunk
• technicques:
  • T1561.002
  • T1561

Description

The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate system processes. This activity is significant because adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed malicious, this could lead to system instability, data loss, or a complete system compromise, severely impacting the organization’s operations.

Detection logic

`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode 
| rename Computer as dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_raw_access_to_master_boot_record_drive_filter`