Event ID 9 — RawAccessRead
Description
The RawAccessRead event detects when a process conducts reading operations from the drive.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that conducted reading operations from the drive |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that conducted reading operations from the drive |
Image UnicodeString → string | File path of the process that conducted reading operations from the drive |
Device UnicodeString → string | Target device |
User UnicodeString → string | Name of the account of the process that conducted reading operations from the drive |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 9,
"version": 2,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:11.574013+00:00",
"event_record_id": 1438039,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:04:11.571",
"ProcessGuid": "E56ADA26-17E6-6548-EB03-000000000000",
"ProcessId": 4,
"Image": "System",
"Device": "\\Device\\HarddiskVolume1",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Community Notes #
RawAccessRead, may indicate direct disk reads of ntds.dit, SAM, or page files for offline hash extraction.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential Defense Evasion Via Raw Disk Access By Uncommon Tools source low: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
Splunk # view in reference
- Windows Raw Access To Disk Volume Partition source: The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity.
- Windows Raw Access To Master Boot Record Drive source: The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate system processes. This activity is significant because adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed malicious, this could lead to system instability, data loss, or a complete system compromise, severely impacting the organization's operations.