AN0386: Analytic 0386
Abnormal invocation of diskutil, asr, or low-level APIs (IOKit) to erase/partition drives. Correlate process execution with unified log entries showing destructive disk operations.
Analyst context for executives and security teams
This analytic is about recognizing unusual macOS activity that may indicate destructive disk operations, such as erasing or partitioning drives through diskutil, asr, or low-level IOKit APIs. For leaders, the practical value is resilience: if an organization depends on macOS endpoints for executive, developer, creative, or operational workflows, destructive disk activity can quickly become a business continuity and incident response issue.
Executive priority
Prioritize this as a validation point for macOS endpoint monitoring and recovery readiness. Security leaders should ask whether SOC teams can see process execution and macOS unified log evidence for disk erase or partition operations, whether those events are retained long enough for investigation, and whether IR playbooks distinguish legitimate administrative imaging or repair activity from abnormal destructive behavior. This also supports audit and resilience discussions around endpoint logging, backup, and recovery evidence.
Technical view
For macOS, validate visibility into abnormal invocation of diskutil, asr, and low-level IOKit-related activity associated with drive erase or partition operations. The supplied ATT&CK object does not specify tactics or relationships, so detection engineering should focus on the stated behavior: correlating process execution with unified log entries that show destructive disk operations. Tune around known administrative workflows such as device provisioning, repair, redeployment, or sanctioned disk management.
Likely telemetry
- macOS process execution events for diskutil and asr
- macOS unified log entries showing disk erase, partition, or destructive disk operations
- Endpoint security telemetry that records command-line execution and parent-child process context
- Administrative activity records for approved device imaging, repair, or redeployment workflows
Detection direction
- Confirm that macOS process execution telemetry includes command line, parent process, user, host, and timestamp for diskutil and asr activity.
- Correlate suspicious process execution with unified log evidence of destructive disk operations rather than alerting on tool execution alone.
- Build allowlists or context rules for expected IT administration, provisioning, recovery, and disk maintenance activity to reduce false positives.
- Investigate unusual timing, user context, host population, or process ancestry for disk erase or partition activity.
- Treat low-level API visibility as a potential blind spot if endpoint tooling does not expose IOKit-related destructive disk operations.
Mitigation priorities
- Ensure critical macOS systems have tested backup and recovery processes before relying on detection alone.
- Restrict administrative privileges needed to perform destructive disk operations where operationally feasible.
- Document approved disk management workflows so SOC teams can distinguish sanctioned activity from abnormal behavior.
- Validate endpoint logging and unified log retention for macOS systems used in business-critical roles.
- Include destructive disk operation scenarios in incident response tabletop or recovery exercises.
Analyst notes and limits
This is a detection analytic, not a technique object. The official description provides a clear behavioral focus for macOS: abnormal use of disk utilities or low-level APIs to erase or partition drives, with correlation to unified logs. No ATT&CK tactics, relationships, aliases, or separate official detection logic were supplied, so this take emphasizes defensive validation rather than threat attribution or impact claims.
The supplied object has no relationship context and no official detection field beyond the description. It does not identify a specific adversary, campaign, malware, tactic, or guaranteed detection method. Local baselines for legitimate macOS disk administration are required to determine abnormality.
Analytic 0386
Abnormal invocation of diskutil, asr, or low-level APIs (IOKit) to erase/partition drives. Correlate process execution with unified log entries showing destructive disk operations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 471ece33829d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0386Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.