Write Protect For Storage Disabled

Hunt Hypothesis

Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed techniq

Detection Rule

Sigma (Original)

title: Write Protect For Storage Disabled
id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
status: test
description: |
    Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
    This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
references:
    - https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
author: Sreeman
date: 2021-06-11
modified: 2024-01-18
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Control'
            - 'Write Protection'
            - '0'
            - 'storage'
    condition: selection
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "\\System\\CurrentControlSet\\Control" and TargetProcessCommandLine contains "Write Protection" and TargetProcessCommandLine contains "0" and TargetProcessCommandLine contains "storage"

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Technique: T1685 — T1685

References

• https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
• SigmaHQ Rule