Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0827: Analytic 0827

Processes attempting raw disk access to overwrite sensitive structures such as the MBR or partition table using \\.\PhysicalDrive notation. Detection relies on correlating process creation, privilege escalation, and raw sector writes in Sysmon and Security logs.

EnterpriseAN0827AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0827 focuses on Windows processes that try to access a physical disk directly using \\.\PhysicalDrive notation and overwrite sensitive disk structures such as the Master Boot Record or partition table. For executives and security leaders, this matters because the behavior can threaten system recoverability and business continuity, not just data confidentiality. The practical question is whether the organization can see and investigate raw disk write attempts before they become a recovery or outage event.

Executive priority

Prioritize this analytic as a resilience and incident-response readiness check for Windows environments. Leaders should ask whether SOC logging includes the process, privilege, and disk-write evidence needed to distinguish legitimate low-level disk utilities from suspicious attempts to alter boot or partition structures. This is also useful audit evidence for demonstrating that destructive or recovery-impacting host behavior is monitored, even though the supplied ATT&CK object does not provide tactic mapping, relationships, or confirmed threat usage.

Technical view

Validate coverage on Windows hosts for processes referencing \\.\PhysicalDrive and correlate that activity with process creation, privilege escalation indicators, and raw sector write evidence in Sysmon and Windows Security logs. Detection engineering should focus on context: parent process, command line, user/account, integrity or privilege level, host role, timing, and whether the process is an approved disk, backup, encryption, forensic, or administrative utility. Because no official detection logic is provided, teams should build and test local logic against known-good administrative activity and incident-response scenarios.

Likely telemetry

  • Windows process creation events, including image, command line, parent process, user, and host
  • Sysmon events relevant to process activity and raw disk access or write behavior, where configured
  • Windows Security logs showing privilege use or privilege escalation context
  • Evidence of access strings or handles involving \\.\PhysicalDrive
  • Host inventory or allowlist context for approved disk management, backup, encryption, imaging, or forensic tools

Detection direction

  • Confirm whether endpoint logging actually captures command lines and raw physical drive access indicators on Windows systems.
  • Correlate physical drive access with privilege context; raw disk writes by elevated or unusual processes should receive higher review priority.
  • Tune for expected administrative tools to reduce false positives, but require justification for any broad allowlist because legitimate utilities can still create high-impact risk.
  • Review parent-child process chains and user context to separate scheduled maintenance from unexpected interactive or service-launched activity.
  • Because ATT&CK supplies no relationship context or official detection query, validate analytic performance in the local environment before using it as a coverage claim.

Mitigation priorities

  • Restrict administrative privileges required for raw disk access and review who can perform low-level disk operations.
  • Limit use of disk management, imaging, backup, encryption, and forensic utilities to approved hosts and accounts.
  • Ensure Windows endpoint logging, Sysmon configuration, and Security log retention are sufficient for post-incident reconstruction.
  • Test recovery procedures for systems whose boot records or partition tables could be modified, including backup integrity and restore timing.
  • Document monitoring and response procedures as evidence for resilience, incident-response, and compliance readiness programs.
Analyst notes and limits

The supplied object is a detection analytic, not a technique, and includes no tactics, aliases, labels, relationships, or official detection rule. The strongest defensible interpretation is a Windows-focused detection concept for raw disk access aimed at sensitive disk structures, using Sysmon and Security log correlation.

This take is limited to the official STIX fields and external reference supplied. It does not establish active exploitation, actor attribution, prevalence, impact, or guaranteed detection coverage. Local baselining is required because legitimate administrative and security tools may access physical disks.

Official MITRE ATT&CK definition

Analytic 0827

Processes attempting raw disk access to overwrite sensitive structures such as the MBR or partition table using \\.\PhysicalDrive notation. Detection relies on correlating process creation, privilege escalation, and raw sector writes in Sysmon and Security logs.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d389d40c75149478...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d389d40c7514…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0827
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use