Detection: Windows Raw Access To Disk Volume Partition

Updated Date: 2024-05-28 ID: a85aa37e-9647-11ec-90c5-acde48001122 Author: Teoderick Contreras, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity.

Search

1`sysmon` EventCode=9 Device = \\Device\\HarddiskVolume* NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) 
2| stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_guid process_name process_path Device 
3| `security_content_ctime(firstTime)` 
4| `security_content_ctime(lastTime)` 
5| `windows_raw_access_to_disk_volume_partition_filter`

Data Source

Name	Platform	Sourcetype	Source	Supported App
Sysmon EventID 9	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`	N/A

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
windows_raw_access_to_disk_volume_partition_filter	`search *`

windows_raw_access_to_disk_volume_partition_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1561.002	Disk Structure Wipe	Impact
T1561	Disk Wipe	Impact

KillChainPhase.ACTIONS_ON_OBJECTIVES

NistCategory.DE_AE

Cis18Value.CIS_10

APT37

APT38

Lazarus Group

Sandworm Team

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Known False Positives

This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Process accessing disk partition $Device$ in $dest$	90	90	100

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`xmlwineventlog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`xmlwineventlog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2