Skip to content

DC0054 Drive Access

Item Value
ID DC0054
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
auditd:SYSCALL open/write syscalls on /dev/sd or /dev/nvme
auditd:SYSCALL write syscalls to /dev/sd* targeting offset 0
auditd:SYSCALL open/write syscalls to block devices (/dev/sd, /dev/nvme)
fs:fsusage open/read/mount operations
linux:osquery hardware_events
linux:syslog mount/umount or file copy logs
macos:osquery usb_devices
WinEventLog:Sysmon EventCode=9

Detection Strategy

ID Name Technique Detected
DET0410 Detection Strategy for Data from Network Shared Drive T1039
DET0316 Detection Strategy for Disk Content Wipe via Direct Access and Overwrite T1561.001
DET0297 Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite T1561.002
DET0137 Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands T1561
DET0150 Detection Strategy for File Creation or Modification of Boot Files T1542.003
DET0278 Detection Strategy for T1542 Pre-OS Boot T1542
DET0099 Detection Strategy for T1542.001 Pre-OS Boot: System Firmware T1542.001
DET0491 Peripheral Device Enumeration via System Utilities and API Calls T1120