Anomalous creation or mounting of hidden partitions or virtual file systems. Defender view: detection of registry modifications linked to non-standard file systems, suspicious disk I/O patterns, or bootkit-like behavior where hidden volumes are accessed outside normal file system APIs.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | WinEventLog:Security | EventCode=4663 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Firmware Modification (DC0004) | etw:Microsoft-Windows-Kernel-Storage | Raw disk I/O operations bypassing NTFS APIs |
| Field | Description |
|---|---|
| MonitoredRegistryKeys | Specify registry paths for mount points and hidden partition configs. |
| DiskIOThreshold | Tune thresholds for raw disk access outside expected drivers. |
| TimeWindow | Correlate boot-time anomalies with hidden file system mounting activity. |
Unusual mounting of loopback or pseudo file systems not aligned with legitimate administrative activity. Defender view: monitoring auditd and syslog for mount commands involving suspicious mount points, reserved blocks, or device mappings indicative of hidden partitions.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | mount or losetup commands creating hidden or encrypted FS |
| Command Execution (DC0064) | linux:syslog | Sudo or root escalation followed by filesystem mount commands |
| Field | Description |
|---|---|
| AllowedMountPoints | Whitelist standard mount points to reduce false positives. |
| UserContext | Flag root escalation during mount operations. |
Hidden file system use through APFS containers or custom plist configuration. Defender view: anomalous use of hdiutil or diskutil to attach hidden partitions, modification of plist entries tied to system volumes, or suspicious raw disk access.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of diskutil or hdiutil attaching hidden partitions |
| File Modification (DC0061) | macos:unifiedlog | Hidden volume attachment or modification events |
| Field | Description |
|---|---|
| MonitoredPlistPaths | Adjust to target only relevant plist files linked to volume mounting. |
| ProcessScope | Restrict monitoring to sensitive processes like diskutil and hdiutil. |