AN0828: Analytic 0828
Execution of utilities (dd, hdparm, sgdisk) or custom binaries attempting to overwrite disk boot structures (/dev/sda MBR sector or partition tables). Detection correlates shell execution with syscalls writing to sector 0 or disk metadata blocks.
Analyst context for executives and security teams
This analytic matters because writes to Linux boot structures or partition metadata can turn a server or workstation into an availability incident, not just a malware alert. For leaders, the key question is whether the organization can see and control privileged activity that touches raw disks, especially where Linux systems support critical services.
Executive priority
Prioritize this as an operational resilience and incident readiness check for Linux environments. Security and infrastructure leaders should confirm that disk-level changes are governed by change control, that SOC teams can distinguish approved maintenance from suspicious overwrite attempts, and that recovery evidence exists if boot structures or partition tables are damaged.
Technical view
The supplied analytic describes correlating shell execution with syscalls that write to sector 0 or disk metadata blocks, including use of utilities such as dd, hdparm, sgdisk, or custom binaries. SOC and detection engineering teams should validate Linux telemetry for process execution, command-line context, user privilege context, and low-level writes to block devices such as /dev/sda. Incident responders should treat confirmed unauthorized writes to boot sectors or partition metadata as potentially time-sensitive because system bootability and disk layout integrity may be affected.
Likely telemetry
- Linux process execution and command-line telemetry for shell-launched utilities
- Syscall or audit telemetry showing writes to raw block devices and disk metadata locations
- User, sudo, and privilege escalation context associated with disk-write activity
- File/device access events for paths such as /dev/sda and related block devices
- Change-management or maintenance records for legitimate partitioning, imaging, or disk repair activity
Detection direction
- Validate that collection includes both shell/process execution and low-level write activity; either source alone may be too noisy or incomplete.
- Tune for administrative false positives such as approved imaging, partitioning, disk replacement, or recovery operations using dd, hdparm, or sgdisk.
- Pay attention to custom binaries, not only named utilities, because the analytic explicitly includes custom binaries attempting similar writes.
- Correlate alerts with user identity, host role, maintenance windows, and whether the target device is a system disk or critical data disk.
- Identify blind spots where Linux syscall, audit, or EDR telemetry is absent, filtered, or not retained long enough for incident reconstruction.
Mitigation priorities
- Restrict privileged access capable of writing to raw block devices and require accountable administrative workflows.
- Apply change control for disk partitioning, imaging, and repair activity on Linux systems supporting important services.
- Ensure sudo and administrative activity logging is enabled and retained for investigation.
- Maintain tested recovery procedures and backups for systems where boot structure damage could disrupt operations.
- Review detection coverage during tabletop or incident response exercises involving Linux availability or boot failure scenarios.
Analyst notes and limits
No relationships, tactics, or official detection text were supplied beyond the analytic description. The business value is therefore framed around the described Linux behavior: shell execution plus low-level writes to boot sectors or disk metadata. Local baselining is essential because legitimate storage administration can look similar without change context.
This take is based only on the supplied ATT&CK analytic fields and external reference. It does not establish adversary use, prevalence, attribution, impact, or guaranteed detection. Applicability is limited to the supplied platform, Linux, unless local evidence supports broader coverage.
Analytic 0828
Execution of utilities (dd, hdparm, sgdisk) or custom binaries attempting to overwrite disk boot structures (/dev/sda MBR sector or partition tables). Detection correlates shell execution with syscalls writing to sector 0 or disk metadata blocks.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0092dc038c01… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0828Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.