← Back to Explore
sigmalowHunting
Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
Detection Query
filter_main_floppy:
Device|contains: floppy
filter_main_generic:
Image|startswith:
- C:\$WINDOWS.~BT\
- C:\Program Files (x86)\
- C:\Program Files\
- C:\Windows\CCM\
- C:\Windows\explorer.exe
- C:\Windows\servicing\
- C:\Windows\SoftwareDistribution\
- C:\Windows\System32\
- C:\Windows\SystemApps\
- C:\Windows\SysWOW64\
- C:\Windows\uus\
- C:\Windows\WinSxS\
filter_main_system_images:
Image:
- Registry
- System
filter_main_windefender:
Image|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\
Image|endswith:
- \MsMpEng.exe
- \MpDefenderCoreService.exe
filter_main_microsoft_appdata:
Image|startswith: C:\Users\
Image|contains|all:
- \AppData\
- \Microsoft\
filter_main_ssd_nvme:
Image|startswith: C:\Windows\Temp\
Image|endswith:
- \Executables\SSDUpdate.exe
- \HostMetadata\NVMEHostmetadata.exe
filter_main_null:
Image: null
filter_main_systemsettings:
Image: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
filter_main_update:
Image|startswith: C:\$WinREAgent\Scratch\
filter_optional_github_desktop:
Image|startswith: C:\Users\
Image|contains: \AppData\Local\GitHubDesktop\app-
Image|endswith: \resources\app\git\mingw64\bin\git.exe
filter_optional_nextron:
Image|startswith: C:\Windows\Temp\asgard2-agent\
Image|endswith: \thor.exe
filter_optional_Keybase:
Image|startswith: C:\Users\
Image|contains: \AppData\Local\Keybase\upd.exe
condition: not 1 of filter_main_* and not 1 of filter_optional_*
Author
Teymur Kheirkhabarov, oscd.community
Created
2019-10-22
Data Sources
windowsraw_access_thread
Platforms
windows
References
Tags
attack.defense-evasionattack.t1006
Raw Content
title: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
id: db809f10-56ce-4420-8c86-d6a7d793c79c
status: test
description: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2025-12-03
tags:
- attack.defense-evasion
- attack.t1006
logsource:
product: windows
category: raw_access_thread
detection:
filter_main_floppy:
Device|contains: floppy
filter_main_generic:
Image|startswith:
- 'C:\$WINDOWS.~BT\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\CCM\'
- 'C:\Windows\explorer.exe'
- 'C:\Windows\servicing\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemApps\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxS\'
filter_main_system_images:
Image:
- 'Registry'
- 'System'
filter_main_windefender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith:
- '\MsMpEng.exe'
- '\MpDefenderCoreService.exe'
filter_main_microsoft_appdata:
Image|startswith: 'C:\Users\'
Image|contains|all:
- '\AppData\'
- '\Microsoft\'
filter_main_ssd_nvme:
Image|startswith: 'C:\Windows\Temp\'
Image|endswith:
- '\Executables\SSDUpdate.exe'
- '\HostMetadata\NVMEHostmetadata.exe'
filter_main_null:
Image: null
filter_main_systemsettings:
Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
filter_main_update:
Image|startswith: 'C:\$WinREAgent\Scratch\'
filter_optional_github_desktop:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\GitHubDesktop\app-'
Image|endswith: '\resources\app\git\mingw64\bin\git.exe'
filter_optional_nextron:
Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
Image|endswith: '\thor.exe'
filter_optional_Keybase:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Keybase\upd.exe'
condition: not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
level: low