{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/raw-disk-access/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["critical"],"_cs_tags":["raw-disk-access","wiper","boot-sector","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on detecting anomalous raw disk access attempts on Windows systems. The activity is flagged via Sysmon EventCode 9, which logs raw disk reads. Threat actors frequently leverage raw disk access for destructive purposes like wiping, encrypting, or overwriting the boot sector, rendering systems inoperable. Notably, malware families like HermeticWiper have employed this technique to devastating effect. This detection excludes legitimate system processes by filtering known good paths like \u003ccode\u003e\\Windows\\System32\\\u003c/code\u003e and \u003ccode\u003e\\Windows\\SysWOW64\\\u003c/code\u003e. The successful execution of such an attack can lead to complete system failure, data loss, and significant operational disruption. Understanding and detecting this activity is crucial for preventing severe damage to targeted systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the target system through various means (e.g., exploiting vulnerabilities, compromised credentials, or social engineering).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain necessary permissions for raw disk access, often requiring SYSTEM-level access.\u003c/li\u003e\n\u003cli\u003eDisable Security Controls: Attempts to disable or evade security products that might interfere with disk access (e.g., anti-virus, endpoint detection and response (EDR)).\u003c/li\u003e\n\u003cli\u003eRaw Disk Access: A malicious process initiates raw disk access using Windows APIs to directly read or write to the disk volume partitions (Sysmon EventCode 9). Example: \u003ccode\u003e\\\\Device\\\\HarddiskVolume1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eBoot Sector Modification: The attacker overwrites the Master Boot Record (MBR) or other critical boot sectors with malicious code.\u003c/li\u003e\n\u003cli\u003eData Wiping/Encryption: The attacker uses raw disk access to wipe partitions by overwriting data with random bytes or encrypting data without providing a recovery key.\u003c/li\u003e\n\u003cli\u003eSystem Crash/Reboot: The compromised system crashes or is forced to reboot.\u003c/li\u003e\n\u003cli\u003eDenial of Service: Upon reboot, the system fails to start due to the corrupted boot sector or wiped partitions, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful raw disk access attacks can result in complete data loss, system inoperability, and significant operational disruption. The HermeticWiper attack in 2022 impacted hundreds of systems across multiple organizations, primarily in Ukraine, causing widespread data destruction and hindering critical services. Organizations across all sectors are potentially vulnerable, with financial, government, and critical infrastructure entities being prime targets. The cost of remediation can range from tens of thousands to millions of dollars, depending on the scale of the attack and the complexity of the recovery process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 9 logging to capture raw disk access events. This will activate the core detection mechanism (Sysmon EventID 9).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eRaw Disk Access Outside System Paths\u003c/code\u003e to detect processes accessing disk volumes from unusual locations. Tune the filters based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eRaw Disk Access by Unusual Processes\u003c/code\u003e for processes not commonly associated with disk operations to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict which processes can execute and access sensitive resources, mitigating the risk of unauthorized disk access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-raw-disk-access/","summary":"Detection of processes accessing raw disk volumes outside of normal system paths, often associated with wiper malware and boot sector attacks.","title":"Suspicious Raw Disk Access Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-09-raw-disk-access/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["critical"],"_cs_tags":["raw-disk-access","mbr","windows","sysmon","data-destruction"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious raw access reads to the Master Boot Record (MBR) on Windows systems. Attackers frequently target the MBR to disrupt system operations, destroy data, or deploy ransomware. The MBR is a critical sector of a hard drive that contains bootloader code, so modifying or corrupting it renders the system unbootable. This analytic focuses on detecting unusual processes attempting to directly read from the MBR device (\u003ccode\u003e\\\\Device\\\\Harddisk0\\\\DR0\u003c/code\u003e) by monitoring Sysmon Event ID 9. The detection excludes legitimate system processes typically found under \u003ccode\u003eC:\\Windows\\System32\\\u003c/code\u003e and \u003ccode\u003eC:\\Windows\\SysWOW64\\\u003c/code\u003e to reduce false positives. This activity is often associated with destructive malware, ransomware, or other malicious tools that aim to compromise the integrity and availability of the system. Several destructive malware families, like WhisperGate, Hermetic Wiper, and Caddy Wiper, have leveraged MBR overwriting as part of their attack sequence. Early detection can prevent widespread damage and data loss.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system, often through phishing or exploiting a vulnerability. (This step is not logged by the detection rule but is a common precursor).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker elevates privileges to gain the necessary permissions to access and modify the MBR. (This step is not logged by the detection rule but is a common precursor).\u003c/li\u003e\n\u003cli\u003eMBR Access: The attacker uses a malicious tool to initiate a raw access read operation to the \u003ccode\u003e\\\\Device\\\\Harddisk0\\\\DR0\u003c/code\u003e device, which represents the MBR. This triggers Sysmon Event ID 9.\u003c/li\u003e\n\u003cli\u003eData Read: The malicious tool reads the contents of the MBR sector. This can be for analysis before modification or simply as part of an overwrite operation.\u003c/li\u003e\n\u003cli\u003eMBR Modification: The attacker overwrites the MBR with malicious code, such as a wiper or ransomware demand.\u003c/li\u003e\n\u003cli\u003eSystem Reboot: The attacker triggers a system reboot, either directly or indirectly, to activate the malicious MBR code.\u003c/li\u003e\n\u003cli\u003eImpact: Upon reboot, the system attempts to load the corrupted MBR, leading to a boot failure, data loss, or the display of a ransomware message.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can render systems unbootable, leading to significant downtime and data loss. MBR overwriting is often associated with destructive attacks that aim to disrupt operations, as seen with WhisperGate malware targeting Ukrainian organizations. Depending on the scope of the attack, organizations could experience complete system compromise across numerous endpoints, resulting in substantial financial losses, reputational damage, and regulatory penalties. The attacks associated with MBR modification have been observed across various sectors, including government, critical infrastructure, and businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon with Event ID 9 to monitor raw disk access events on endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026quot;Windows Raw Access To Master Boot Record Drive\u0026quot; Sigma rule to your SIEM to detect suspicious processes accessing the MBR.\u003c/li\u003e\n\u003cli\u003eTune the \u0026quot;Windows Raw Access To Master Boot Record Drive\u0026quot; Sigma rule by reviewing and excluding any legitimate processes accessing the MBR to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes not under standard Windows directories as indicators of potential malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement robust backup and recovery procedures to quickly restore systems in the event of a successful MBR overwrite attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-mbr-raw-access/","summary":"This analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR) using Sysmon EventCode 9, which is a common tactic used by attackers to wipe, encrypt, or overwrite the MBR as part of their impact payload.","title":"Detecting Windows Raw Access to Master Boot Record","url":"https://feed.craftedsignal.io/briefs/2024-01-mbr-raw-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Raw-Disk-Access","version":"https://jsonfeed.org/version/1.1"}