AN0385: Analytic 0385
Processes invoking destructive commands (dd, shred, wipe) with raw device targets (e.g., /dev/sda, /dev/nvme0n1). Detect direct writes to disk partitions and abnormal superblock or bootloader modifications. Correlate shell execution with subsequent block device I/O.
Analyst context for executives and security teams
This analytic matters because it focuses on Linux processes that appear to write destructively to raw disk devices, such as activity involving tools like dd, shred, or wipe against targets under /dev. For executives and security leaders, the decision value is resilience: if this behavior is missed, an incident can move quickly from system compromise to loss of bootability, data destruction, or extended recovery work. The key question is whether the organization can see and respond to destructive disk-level activity before it becomes an outage.
Executive priority
Prioritize this as an operational resilience and incident response readiness control for Linux environments that support critical workloads. Leaders should ask whether SOC teams collect enough Linux process, shell, and block-device activity to identify destructive raw-device writes, and whether response teams have clear authority to isolate affected hosts quickly. This is also relevant to audit and risk evidence: the organization should be able to demonstrate monitoring for high-risk administrative actions that can destroy data or impair recovery.
Technical view
Validate visibility on Linux for processes invoking destructive utilities or direct write behavior against raw block devices such as disk partitions, whole disks, superblocks, or bootloader-related areas. Since no official detection logic is provided, detection engineering should build conservative analytics around parent shell execution, command-line targets under /dev, process-to-device I/O correlation, and abnormal modification of disk metadata areas. Tune carefully for legitimate administrative imaging, wiping, or decommissioning workflows.
Likely telemetry
- Linux process creation events with command-line arguments
- Shell execution history or shell process telemetry where available
- File or device access events involving raw block devices under /dev
- Block device I/O or kernel/audit events showing direct writes to disk devices
- Host audit logs capable of showing privileged execution and target paths
Detection direction
- Confirm that Linux endpoint or audit telemetry captures full command lines and target device paths, not only process names.
- Alert on destructive utilities or equivalent direct-write behavior when the target is a raw disk or partition device rather than a regular file.
- Correlate shell execution with subsequent block-device writes to reduce reliance on command-name matching alone.
- Account for legitimate disk imaging, secure wipe, forensics, storage administration, and decommissioning activity to reduce false positives.
- Treat missing command-line logging, limited /dev access visibility, and lack of block I/O telemetry as material blind spots.
Mitigation priorities
- Restrict privileged access required to write directly to raw block devices on Linux systems.
- Separate and monitor approved administrative disk-wiping, imaging, and storage-maintenance workflows.
- Ensure critical Linux hosts have tested backup and recovery procedures appropriate for destructive disk-level events.
- Harden logging so process execution, command lines, and device access are retained long enough for SOC triage and incident response.
- Define rapid containment procedures for suspected destructive disk activity, including when to isolate hosts and preserve evidence.
Analyst notes and limits
This object is a detection analytic for Linux focused on destructive commands and raw device targets. The supplied fields provide a clear behavioral description but no official detection logic, tactics, mitigations, or relationships. A practical implementation should therefore be environment-specific and validated against legitimate storage administration activity.
No relationships, tactics, procedure examples, or official detection content were supplied. This take does not infer attribution, active exploitation, affected customers, or guaranteed detection. Local telemetry quality and administrative practices will determine whether the analytic is reliable.
Analytic 0385
Processes invoking destructive commands (dd, shred, wipe) with raw device targets (e.g., /dev/sda, /dev/nvme0n1). Detect direct writes to disk partitions and abnormal superblock or bootloader modifications. Correlate shell execution with subsequent block device I/O.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b9f532fafe4a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0385Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.