Earlier this year, Mark Russinovich released an update to Sysmon including a feature that I developed - raw access read detection.
The premise of raw access read in malicious toolkits is to side-step security protection mechanisms, such as sharing permissions or auditing capabilities. Although, per the documentation on CreateFile, raw access read does require local administrator access to work on a machine (meaning it is not necessarily a bypass for NTFS permissions on a workstation or server, since a local administrator can already adjust such permissions).
Background
The reason for this detection feature started weeks prior to release when I initially had heard about raw access read being used in malicious tools for data exfiltration. While I had read about the bad ways this technique could be used, I hadn't seen much discussion around detecting this type of behavior. After some thought, I set off to write a file system minifilter driver for detecting attempts at accessing a volume or disk accessed in raw. The proof of concept that I created worked effectively at demonstrating the detection concept. However, I thought it would be great if it this was something that customers could be using immediately (my proof of concept, which functional, still had much to be desired before I would consider it ready for public consumption).
Around this same time, I had been looking into the capabilities Sysmon offers for monitoring system activity. I was intrigued by features such as generating hashes for process creation events, as well the remote thread creation logic. I decided to reach out to Mark if he would consider adding this to Sysmon (I had heard Sysmon uses a minifilter driver in a Channel9 video, so I thought it wouldn't be difficult to integrate my detection logic). After an email exchange with Mark, he agreed this would make a good addition, and we moved forward to integrate it into Sysmon. Not too long after integration and testing, the Sysmon update was released with raw access read detection.
Side Note
One small detail to be aware of with this feature is that there are legitimate tools which use raw access read (this feature is supported in the Windows operating system to support such purposes). Therefore, I have found it helpful to leverage a Sysmon configuration XML to filter some of the non-anomalous activity.
Read More
See the Sysmon page on TechNet to learn more and download the tool.
The Channel9 video with Mark Russinovich, Thomas Garnier, and Andrew Richards covers some excellent background on the development of Sysmon.