Rules: Sysmon - RawAccessRead Event
The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Impact |
| Apply Risk to Entities | device_hostname, user_username |
| Signal Name | Sysmon - RawAccessRead Event |
| Summary Expression | RawAccessRead Event on {{device_hostname}} with user: {{user_username}} |
| Score/Severity | Static: 1 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0040, _mitreAttackTechnique:T1561, _mitreAttackTechnique:T1561.001, _mitreAttackTechnique:T1561.002 |
| Origin | Field |
|---|---|
| Normalized Schema | device_hostname |
| Normalized Schema | metadata_deviceEventId |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | user_username |