Unusual direct disk access attempts (e.g., use of \.\PhysicalDrive notation), abnormal writes to MBR/boot sectors, and installation of kernel drivers that grant raw disk access. Correlate anomalous process creation with disk modification attempts and driver loads.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | WinEventLog:Security | EventCode=4673 |
| Drive Modification (DC0046) | WinEventLog:Sysmon | Raw disk write access via \\.\PhysicalDrive* or \\.\C: |
| Driver Load (DC0079) | WinEventLog:Sysmon | EventCode=6 |
| Field | Description |
|---|---|
| ProcessWhitelist | Legitimate disk imaging or backup tools may trigger raw disk access — must be excluded per environment. |
| TimeWindow | Correlate disk access, driver load, and process execution within a short timeframe to minimize false positives. |
Processes invoking destructive commands (dd, shred, wipe) with raw device targets (e.g., /dev/sda, /dev/nvme0n1). Detect direct writes to disk partitions and abnormal superblock or bootloader modifications. Correlate shell execution with subsequent block device I/O.
| Data Component | Name | Channel |
|---|---|---|
| Drive Access (DC0054) | auditd:SYSCALL | open/write syscalls on /dev/sd* or /dev/nvme* |
| Process Creation (DC0032) | auditd:EXECVE | Execution of dd, shred, wipe targeting block devices |
| Field | Description |
|---|---|
| TargetDevices | Tune to exclude removable drives or test partitions commonly written by administrators. |
| EntropyThreshold | Detects large blocks of pseudorandom data being written; may need tuning for backup/crypto workloads. |
Abnormal invocation of diskutil, asr, or low-level APIs (IOKit) to erase/partition drives. Correlate process execution with unified log entries showing destructive disk operations.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | diskutil eraseDisk / asr restore with destructive flags |
| Drive Modification (DC0046) | macos:unifiedlog | IOKit disk write calls targeting raw devices |
| Field | Description |
|---|---|
| AdminToolWhitelist | System administrators may legitimately use diskutil/asr for provisioning — whitelist by user or context. |
Execution of destructive CLI commands such as 'erase startup-config', 'erase flash:' or 'format disk' on routers/switches. Detect privilege level escalation preceding destructive commands.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:cli | erase flash:, erase startup-config, format disk |
| User Account Authentication (DC0002) | networkdevice:syslog | User privilege escalation to level 15/root prior to destructive commands |
| Field | Description |
|---|---|
| PrivilegedUsers | Tune to exclude approved maintenance sessions by known administrators. |
| CommandPatterns | Adjust monitored destructive command list depending on device vendor and OS. |