(YARA) YARA_HDDInfo
rule HDDInfo_rule
{
meta:
description = "Detect DeviceIoControl call with Io Control Code SMART_RCV_DRIVE_DATA (0x7C088)"
author = "Nicola Bottura"
date = "2024-02-17"
reference = "https://nicolabottura.github.io/HDDInfo-Evasion-PoC.html"
hash = "aa202ae4d12e03887bb81c3a9129f44c464f54c790990494885d29bcde0ef4c1"
strings:
$api = "DeviceIoControl" nocase wide ascii
$ioctl = { 88 C0 07 }
condition:
all of ($*)
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Retrieve HDD Information | U1343 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| Microsoft Store.exe | 4 | 2024-11-23 | 4 weeks ago |
| 765edfc0c20fa35b84f7b36bf280...87d29cdf96ac9712ee6e05f59056 | 6 | 2024-11-19 | 1 month ago |
| 23b1971659b16e186f9e1b36d8bc...e512b346e78f77dc314503aac59a | 13 | 2024-11-19 | 1 month ago |
Created
March 20, 2024
Last Revised
March 20, 2024