DC0046 Drive Modification
| Item | Value |
|---|---|
| ID | DC0046 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| Drive | None |
| linux:syslog | Block device write errors or unusual bootloader activity |
| macos:unifiedlog | IOKit disk write calls targeting raw devices |
| macos:unifiedlog | IOKit raw disk write to EFI/boot partition sectors |
| macos:unifiedlog | IOKit raw disk write activity targeting physical devices |
| networkdevice:firmware | Unexpected firmware image upload events via TFTP/FTP/SCP |
| networkdevice:runtime | Firmware image uploaded via TFTP/FTP/SCP |
| WinEventLog:Sysmon | Raw disk write access via \.\PhysicalDrive* or \.\C: |
| WinEventLog:Sysmon | Raw write attempts targeting \.\PhysicalDrive0 or sector 0 (MBR/partition table) |
| WinEventLog:Sysmon | Raw disk writes targeting \.\PhysicalDrive* or MBR locations |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0316 | Detection Strategy for Disk Content Wipe via Direct Access and Overwrite | T1561.001 |
| DET0297 | Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite | T1561.002 |
| DET0137 | Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands | T1561 |
| DET0150 | Detection Strategy for File Creation or Modification of Boot Files | T1542.003 |
| DET0278 | Detection Strategy for T1542 Pre-OS Boot | T1542 |
| DET0099 | Detection Strategy for T1542.001 Pre-OS Boot: System Firmware | T1542.001 |