Check DriveSize

Hunt Hypothesis

Adversaries may use large drive sizes to mask malicious activity or exfiltrate data, indicating potential data persistence or command and control operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify covert data movement or long-term persistence tactics.

YARA Rule

rule Check_DriveSize
{
	meta:
		Author = "Nick Hoffman"
		Description = "Rule tries to catch uses of DeviceIOControl being used to get the drive size"
		Sample = "de1af0e97e94859d372be7fcf3a5daa5"

	strings:
		$physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase
		$dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO
	condition:
		pe.imports("kernel32.dll","CreateFileA") and
		pe.imports("kernel32.dll","DeviceIoControl") and
		$dwIoControlCode and
		$physicaldrive
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Restore Point Creation
  Description: When a system restore point is created using System File Checker (SFC) or System Restore tools, it may temporarily increase disk usage, triggering the Check_DriveSize rule.
  Filter/Exclusion: Exclude processes related to sfc.exe or rsop.msc (System Restore settings).

• Scenario: Antivirus Full System Scan
  Description: A full system scan by an antivirus tool like Malwarebytes, Bitdefender, or Kaspersky can temporarily increase disk I/O and usage, leading to a false positive.
  Filter/Exclusion: Exclude processes associated with known antivirus tools (e.g., mbam.exe, bdss.exe, kavsvc.exe).

• Scenario: Windows Update or Patch Deployment
  Description: During a Windows Update or Group Policy Update (GPUpdate), temporary files and logs may be created, increasing disk space usage.
  Filter/Exclusion: Exclude processes related to wuauclt.exe, gpupdate.exe, or dism.exe.

• Scenario: Backup Job Execution
  Description: A scheduled backup job using Veeam, Acronis, or Windows Backup may temporarily use significant disk space.
  Filter/Exclusion: Exclude processes associated with backup tools (e.g., veeam.exe, acronisbackup.exe, or wbadmin.exe).

• Scenario: Temporary File Cleanup or Disk Usage Monitoring Tool
  Description: Tools like Disk Usage Analyzer (DU), TreeSize, or WinDirStat may be used to monitor or clean up disk space, which could trigger the rule.
  Filter/Exclusion: Exclude processes related to disk analysis tools (e.g., `