Decode VolumeDeviceCharacteristics Bitmask
The query decodes the VolumeDeviceCharacteristics bitfield to reveal device properties such as removable media, network drives, virtual volumes, or portable devices.
EDRhunting
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
| bitfield:extractFlags(
field=VolumeDeviceCharacteristics,
output=[
[0,FILE_REMOVABLE_MEDIA],
[1,FILE_READ_ONLY_DEVICE],
[2,FILE_FLOPPY_DISKETTE],
[3,FILE_WRITE_ONCE_MEDIA],
[4,FILE_REMOTE_DEVICE],
[5,FILE_DEVICE_IS_MOUNTED],
[6,FILE_VIRTUAL_VOLUME],
[7,FILE_AUTOGENERATED_DEVICE_NAME],
[8,FILE_DEVICE_SECURE_OPEN],
[9,FILE_CHARACTERISTIC_PNP_DEVICE],
[10,FILE_CHARACTERISTIC_TS_DEVICE],
[11,FILE_CHARACTERISTIC_WEBDAV_DEVICE],
[12,FILE_CHARACTERISTIC_CSV],
[13,FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL],
[14,FILE_PORTABLE_DEVICE]
])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.