Processes attempting raw disk access to overwrite sensitive structures such as the MBR or partition table using \.\PhysicalDrive notation. Detection relies on correlating process creation, privilege escalation, and raw sector writes in Sysmon and Security logs.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | WinEventLog:Security | EventCode=4673 |
| Drive Modification (DC0046) | WinEventLog:Sysmon | Raw write attempts targeting \\.\PhysicalDrive0 or sector 0 (MBR/partition table) |
| Driver Load (DC0079) | WinEventLog:Sysmon | EventCode=6 |
| Field | Description |
|---|---|
| SectorRange | Specify which sectors are considered critical (MBR, partition table) to reduce noise. |
| ProcessWhitelist | Exclude legitimate low-level disk management or imaging tools used by administrators. |
Execution of utilities (dd, hdparm, sgdisk) or custom binaries attempting to overwrite disk boot structures (/dev/sda MBR sector or partition tables). Detection correlates shell execution with syscalls writing to sector 0 or disk metadata blocks.
| Data Component | Name | Channel |
|---|---|---|
| Drive Access (DC0054) | auditd:SYSCALL | write syscalls to /dev/sd* targeting offset 0 |
| Process Creation (DC0032) | auditd:EXECVE | Execution of dd/sgdisk with arguments writing to sector 0 or partition table |
| Field | Description |
|---|---|
| TargetDevices | Define specific device paths to monitor (e.g., /dev/sda, /dev/nvme0n1). |
| OffsetThreshold | Focus on suspicious writes at disk offsets corresponding to MBR/partition structures. |
Abnormal invocation of diskutil or asr that modifies partition tables or initializes raw devices. Monitor for IOKit system calls targeting disk headers or EFI boot sectors, correlated with elevated privileges.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | diskutil partitionDisk or eraseVolume with partition scheme modifications |
| Drive Modification (DC0046) | macos:unifiedlog | IOKit raw disk write to EFI/boot partition sectors |
| Field | Description |
|---|---|
| AdminToolWhitelist | System provisioning workflows may legitimately re-partition disks; whitelist by context. |
Execution of destructive CLI commands such as format flash:, format disk, or equivalent vendor-specific commands that erase filesystem structures. Detection correlates AAA logs showing privileged access with immediate format/erase commands.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:cli | format flash:, format disk, reformat commands |
| User Account Authentication (DC0002) | networkdevice:syslog | Privileged login followed by destructive format command |
| Field | Description |
|---|---|
| CommandPatterns | Expand detection to cover vendor-specific destructive commands. |
| PrivilegedUsers | Whitelist authorized maintenance sessions to reduce false positives. |