Processes attempting raw disk access via \.\PhysicalDrive paths, abnormal file I/O to MBR/boot sectors, or loading of third-party drivers (e.g., RawDisk) that enable disk overwrite. Correlate process creation, privilege usage, and disk modification events within a short time window.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | WinEventLog:Security | EventCode=4673 |
| Drive Modification (DC0046) | WinEventLog:Sysmon | Raw disk writes targeting \\.\PhysicalDrive* or MBR locations |
| Driver Load (DC0079) | WinEventLog:Sysmon | EventCode=6 |
| Field | Description |
|---|---|
| ProcessWhitelist | Backup, forensics, or imaging tools may perform legitimate raw disk access — requires tuning per environment. |
| TimeWindow | Correlation threshold for process execution, driver load, and raw disk writes. |
Execution of destructive utilities (dd, shred, wipe) targeting block devices, or processes invoking syscalls to directly overwrite /dev/sd or /dev/nvme partitions. Correlate abnormal file write attempts with shell process execution and block device access.
| Data Component | Name | Channel |
|---|---|---|
| Drive Access (DC0054) | auditd:SYSCALL | open/write syscalls to block devices (/dev/sd*, /dev/nvme*) |
| Process Creation (DC0032) | auditd:EXECVE | Execution of dd, shred, or wipe with arguments targeting block devices |
| Field | Description |
|---|---|
| TargetDevices | Exclude removable drives or designated partitions that may be overwritten during maintenance. |
| EntropyThreshold | Tune detection for pseudorandom write patterns to reduce false positives during high-volume I/O. |
Abnormal invocation of diskutil or asr with destructive flags (eraseDisk, zeroDisk), or low-level IOKit calls that overwrite raw disk content. Detect correlation between elevated process execution and disk erase operations.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | diskutil eraseDisk/zeroDisk or asr restore with destructive flags |
| Drive Modification (DC0046) | macos:unifiedlog | IOKit raw disk write activity targeting physical devices |
| Field | Description |
|---|---|
| AdminToolWhitelist | Provisioning workflows may legitimately use diskutil/asr — whitelist by user or system context. |
Execution of CLI commands erasing file systems or storage (erase flash:, format disk, erase nvram:). Detect authentication events followed by destructive commands within the same privileged session.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:cli | erase flash:, erase nvram:, format disk |
| User Account Authentication (DC0002) | networkdevice:syslog | Privileged login followed by destructive command sequence |
| Field | Description |
|---|---|
| PrivilegedUsers | Tune to exclude approved maintenance performed by authorized administrators. |
| CommandPatterns | Expand or narrow destructive command coverage depending on vendor-specific syntax. |