Deceptive File System Filter Driver

Engage Goals: EGO0002 Affect

Engage Approach: EAP0005 Disrupt

Engage Actions: EAC0003 System Activity Monitoring, EAC0014 Software Manipulation

Name of Element: Deceptive File System Filter Driver

Description of Element:

Goal: Disrupt malware operation by manipulating file system operations.

Approach: Intercepting and altering file system requests.

This element installs a file system filter driver that intercepts file system requests and can modify or redirect them. This can be used to prevent malware from accessing sensitive files, executing malicious code, or persisting on the system.

Technical Context:

This element operates at the kernel level, providing a high level of control over file system operations. It can be used to create deceptive files, directories, or even entire drives.

Other:

This element can be highly effective against a wide range of malware that interacts with the file system, including ransomware, spyware, and fileless malware. It aligns with the MITRE ATT&CK technique T1005 (Data from Local System).

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense