Processes accessing raw logical drives (e.g., .\C:) to bypass file system protections or directly manipulate data structures.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Field | Description |
|---|---|
| TargetObjectPattern | Regex pattern to detect access to raw disk volumes like `\Device\HarddiskVolume` or `\.\PhysicalDrive*`. |
| ParentProcess | Tune for known tools/scripts (e.g., powershell.exe, cmd.exe) often used in misuse scenarios. |
| TimeWindow | Correlate file access and creation across a short time window to avoid false positives. |
CLI or automated utilities accessing raw device volumes or flash storage directly (e.g., via copy flash:, format, or partition commands).
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:cli | command logging |
| Field | Description |
|---|---|
| CommandScope | Limit detection to volume-level commands (e.g., `format`, `copy`, `mount`, `erase`). |
| DeviceTypeFilter | Filter by internal vs. removable volume interactions (e.g., flash, SD card). |