SysmonObject Access

Event 9: Raw Access Read

Detects when a process conducts reading operations from the drive using \\.\ notation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools.

Technical Details

Sysmon Source

Event ID: 9

Sysmon- Object Access

Event Description

Detects when a process conducts reading operations from the drive using \\.\ notation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools.

Key Log Fields

  • UtcTime - UTC timestamp of raw disk access
  • ProcessGuid - Process GUID performing raw access
  • ProcessId - Process ID
  • Image - Process executable path
  • Device - Device path being accessed (e.g., \Device\HarddiskVolume1)

Contents