Skip to content

DET0297 Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite

Item Value
ID DET0297
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1561.002 (Disk Structure Wipe)

Analytics

Windows

AN0827

Processes attempting raw disk access to overwrite sensitive structures such as the MBR or partition table using \.\PhysicalDrive notation. Detection relies on correlating process creation, privilege escalation, and raw sector writes in Sysmon and Security logs.

Log Sources
Data Component Name Channel
User Account Metadata (DC0013) WinEventLog:Security EventCode=4673
Drive Modification (DC0046) WinEventLog:Sysmon Raw write attempts targeting \.\PhysicalDrive0 or sector 0 (MBR/partition table)
Driver Load (DC0079) WinEventLog:Sysmon EventCode=6
Mutable Elements
Field Description
SectorRange Specify which sectors are considered critical (MBR, partition table) to reduce noise.
ProcessWhitelist Exclude legitimate low-level disk management or imaging tools used by administrators.

Linux

AN0828

Execution of utilities (dd, hdparm, sgdisk) or custom binaries attempting to overwrite disk boot structures (/dev/sda MBR sector or partition tables). Detection correlates shell execution with syscalls writing to sector 0 or disk metadata blocks.

Log Sources
Data Component Name Channel
Drive Access (DC0054) auditd:SYSCALL write syscalls to /dev/sd* targeting offset 0
Process Creation (DC0032) auditd:EXECVE Execution of dd/sgdisk with arguments writing to sector 0 or partition table
Mutable Elements
Field Description
TargetDevices Define specific device paths to monitor (e.g., /dev/sda, /dev/nvme0n1).
OffsetThreshold Focus on suspicious writes at disk offsets corresponding to MBR/partition structures.

macOS

AN0829

Abnormal invocation of diskutil or asr that modifies partition tables or initializes raw devices. Monitor for IOKit system calls targeting disk headers or EFI boot sectors, correlated with elevated privileges.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog diskutil partitionDisk or eraseVolume with partition scheme modifications
Drive Modification (DC0046) macos:unifiedlog IOKit raw disk write to EFI/boot partition sectors
Mutable Elements
Field Description
AdminToolWhitelist System provisioning workflows may legitimately re-partition disks; whitelist by context.

Network Devices

AN0830

Execution of destructive CLI commands such as format flash:, format disk, or equivalent vendor-specific commands that erase filesystem structures. Detection correlates AAA logs showing privileged access with immediate format/erase commands.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:cli format flash:, format disk, reformat commands
User Account Authentication (DC0002) networkdevice:syslog Privileged login followed by destructive format command
Mutable Elements
Field Description
CommandPatterns Expand detection to cover vendor-specific destructive commands.
PrivilegedUsers Whitelist authorized maintenance sessions to reduce false positives.