Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Write Protect For Storage Disabled

Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
SreemanCreated Fri Jun 11Updated Thu Jan 1875f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Control'
            - 'Write Protection'
            - '0'
            - 'storage'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
manageengine.com
MITRE ATT&CK
Rule Metadata
Rule ID
75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
Status
test
Level
medium
Type
Detection
Created
Fri Jun 11
Modified
Thu Jan 18
Author
Sreeman
Path
rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml
Raw Tags
attack.defense-evasionattack.t1562
View on GitHub