Add "NTFS volume mounted" rule

Yamato-Security / hayabusa-rules

Curated Windows event log Sigma rules used in Hayabusa and Velociraptor.

Other

144 stars 23 forks source link

Add "NTFS volume mounted" rule #741

Closed Qazeer closed 1 month ago

Qazeer commented 1 month ago

Hello!

This PR adds a rule for the event 4 of the channel "Microsoft-Windows-Ntfs/Operational", that tracks mounting of NTFS volumes. Can be useful in correlation with the 'Device Conn' rule to retrieve the volume label / name associated with the device.

Attempt to filter events from normal system usage, but some noise is expected.

Qazeer commented 1 month ago

Regarding the IsBootVolume, I have added a filter to remove the boot volume (IsBootVolume: true) so it would always be set to false. Should I also remove that filter? It would be a trade-off between noise and exhaustivity.

I will implement the changes you deem best, and update the PR :)

YamatoSecurity commented 1 month ago

@Qazeer I see. Sorry I did not take a good look at the filter section. Yes, I think it would be better to filter out the boot partitions and and not include IsBootVolume.