Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0428: Analytic 0428

Detection of raw access to physical drives, modification of boot records (MBR/VBR), and suspicious file creation or alteration within the EFI System Partition (ESP). Correlates privileged process execution with low-level disk modification and unexpected driver or firmware interactions.

EnterpriseAN0428AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0428 is a Windows detection analytic focused on signs that something is touching the lowest levels of a system’s storage and boot path: raw physical drive access, MBR/VBR modification, and unexpected file changes in the EFI System Partition. For leaders, this matters because boot-path tampering can undermine trust in system recovery, endpoint integrity, and incident containment decisions even when normal endpoint activity appears quiet.

Executive priority

Prioritize this analytic where Windows systems support critical operations, privileged administration, regulated workloads, or recovery-dependent business processes. The key business question is whether the organization can prove visibility into boot-record and EFI System Partition changes, not just normal file and process activity. This is also relevant to audit and incident readiness because low-level disk modification may require stronger evidence collection, rebuild decisions, and validation of endpoint trust before returning systems to service.

Technical view

SOC and detection engineering teams should validate whether Windows telemetry can correlate privileged process execution with raw physical drive access, MBR/VBR modification, suspicious EFI System Partition file creation or alteration, and unexpected driver or firmware interactions. Because ATT&CK provides no specific detection logic for this analytic, teams should treat AN0428 as a coverage objective rather than a ready-to-run rule. IR teams should confirm escalation paths for preserving disk, boot configuration, and firmware-adjacent evidence when this class of behavior is observed.

Likely telemetry

  • Windows process execution telemetry with privilege context
  • Raw physical drive access indicators
  • Disk or volume write activity involving MBR or VBR regions
  • EFI System Partition file creation, modification, or deletion events
  • Driver load or driver interaction telemetry

Detection direction

  • Validate that telemetry includes privileged process context, not just process names or command lines.
  • Tune for correlation across process execution, raw disk access, boot-record modification, and EFI System Partition changes rather than relying on a single event type.
  • Review legitimate administrative, backup, disk imaging, encryption, firmware update, and recovery tooling to reduce false positives.
  • Identify blind spots on Windows endpoints where ESP visibility, low-level disk writes, driver interactions, or firmware-adjacent events are not collected.
  • Because no ATT&CK relationships or tactics are supplied, avoid over-mapping this analytic to a specific adversary behavior chain without local evidence.

Mitigation priorities

  • Restrict and monitor privileged access capable of modifying physical drives, boot records, drivers, or boot-related partitions.
  • Harden administrative workflows for disk management, recovery, firmware updates, and endpoint imaging so expected activity is documented and attributable.
  • Ensure endpoint logging and EDR policy capture low-level disk, driver, and boot-path events on relevant Windows systems.
  • Define incident response criteria for when boot-path modification requires isolation, forensic imaging, rebuild, or integrity validation before restoration.
  • Maintain recovery procedures that can restore trusted boot configuration and system images where business-critical Windows assets are affected.
Analyst notes and limits

This object is a detection analytic, not a technique or procedure example. Its value is in defining a defensive coverage target around Windows boot-path and low-level disk integrity. The strongest validation work is local: confirm which Windows assets expose the required telemetry and which legitimate tools commonly touch these areas.

ATT&CK supplies no detection query, no tactics, no relationships, no adversary attribution, and no platform beyond Windows. This take therefore avoids claims about active exploitation, threat actors, impact, or guaranteed detectability. Local endpoint configuration and telemetry quality will determine practical coverage.

Official MITRE ATT&CK definition

Analytic 0428

Detection of raw access to physical drives, modification of boot records (MBR/VBR), and suspicious file creation or alteration within the EFI System Partition (ESP). Correlates privileged process execution with low-level disk modification and unexpected driver or firmware interactions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f897a98360a2497a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f897a98360a2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0428
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use