Event ID 9

Detects when a process conducts reading operations from the drive using the \\.\ denotation

Source:

Microsoft-Windows-Sysmon

Category:

RawAccessRead detected (rule: RawAccessRead)

RawAccessRead detected:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    Image: %5!s!
    Device: %6!s!
    User: %7!s!

The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device.

LEFT/RIGHT arrow keys for navigation

Back to List