AN0384: Analytic 0384
Unusual direct disk access attempts (e.g., use of \\.\PhysicalDrive notation), abnormal writes to MBR/boot sectors, and installation of kernel drivers that grant raw disk access. Correlate anomalous process creation with disk modification attempts and driver loads.
Analyst context for executives and security teams
AN0384 is a Windows detection analytic focused on signs that software is trying to access or modify raw disk areas such as PhysicalDrive, the MBR, or boot sectors, including through kernel drivers that enable raw disk access. For leaders, this matters because changes at this layer can threaten system recoverability and incident containment decisions, even when normal file-level monitoring looks quiet.
Executive priority
Prioritize this analytic where Windows endpoint resilience, rapid recovery, and incident triage are business-critical. The key management question is whether the SOC can prove it sees suspicious raw disk access, boot-sector modification attempts, and relevant driver loads early enough to support containment and recovery decisions. This also has audit value: organizations can use validated telemetry and response procedures as evidence that low-level endpoint tampering is within monitoring scope.
Technical view
For Windows environments, validate correlation between anomalous process creation, direct disk access patterns such as \\.\PhysicalDrive notation, disk modification attempts affecting MBR or boot sectors, and kernel driver loads associated with raw disk access. Because the official object supplies no tactic mapping, no relationships, and no detection logic, teams should treat AN0384 as a detection engineering requirement rather than a ready-to-run rule.
Likely telemetry
- Windows process creation telemetry with command line and parent/child process context
- Endpoint telemetry showing direct raw disk access attempts, including PhysicalDrive-style device paths
- Disk or boot-sector modification events where available
- Kernel driver load telemetry, including driver path, signer, hash, and loading process context
- Endpoint security or EDR alerts related to raw disk access or suspicious driver behavior
Detection direction
- Confirm telemetry coverage for process creation, driver loads, and low-level disk access on Windows systems; gaps in any one source will weaken correlation.
- Tune around legitimate administrative, backup, encryption, forensic, virtualization, and disk management tools that may perform raw disk operations.
- Prioritize correlation: unusual process plus raw disk access plus boot-sector/MBR write attempt or driver load should be higher signal than any single event alone.
- Review whether monitoring can see activity using device paths such as \\.\PhysicalDrive; many file-centric controls may miss this layer.
- Because no official detection query is supplied, test candidate logic in local environments before treating it as coverage evidence.
Mitigation priorities
- Maintain least-privilege controls so routine users and unmanaged software cannot perform administrative disk operations.
- Restrict and review kernel driver installation and loading, including approval processes for legitimate drivers.
- Ensure endpoint monitoring is configured to capture process creation, driver loads, and raw disk access indicators on Windows systems.
- Prepare incident response playbooks for suspected boot-sector or raw-disk tampering, including isolation, forensic preservation, and recovery validation.
- Validate backup and recovery procedures for affected Windows endpoints, since low-level disk modification may complicate normal restoration assumptions.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique description. Its value is in guiding validation of Windows telemetry and correlation logic for direct disk access, boot-sector or MBR writes, and kernel driver loads. No relationship context was supplied, so this take does not infer associated techniques, groups, software, campaigns, or tactics.
Official detection content is not provided, tactics are not specified, and no relationships are supplied. Local baselining is required to separate legitimate disk, driver, backup, encryption, and forensic activity from suspicious behavior. The supplied fields support Windows only.
Analytic 0384
Unusual direct disk access attempts (e.g., use of \\.\PhysicalDrive notation), abnormal writes to MBR/boot sectors, and installation of kernel drivers that grant raw disk access. Correlate anomalous process creation with disk modification attempts and driver loads.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5290c83bf0c2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0384Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.