Event 9: Raw Access Read
Detects when a process conducts reading operations from the drive using \\.\ notation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools.
Technical Details
Event ID: 9
Sysmon- Object Access
Event Description
Detects when a process conducts reading operations from the drive using \\.\ notation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools.
Key Log Fields
UtcTime- UTC timestamp of raw disk accessProcessGuid- Process GUID performing raw accessProcessId- Process IDImage- Process executable pathDevice- Device path being accessed (e.g., \Device\HarddiskVolume1)
MITRE ATT&CK® Mapping (2)
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009) Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)