AN0829: Analytic 0829
Abnormal invocation of diskutil or asr that modifies partition tables or initializes raw devices. Monitor for IOKit system calls targeting disk headers or EFI boot sectors, correlated with elevated privileges.
Analyst context for executives and security teams
This analytic is about spotting unusual macOS disk-management activity that could alter partition tables, initialize raw devices, or touch boot-related disk areas. For leaders, the value is operational resilience: if endpoint or SOC visibility cannot distinguish legitimate administration from abnormal low-level disk changes, destructive or persistence-related activity may be missed until systems fail or require recovery.
Executive priority
Prioritize this as a macOS endpoint resilience and incident-readiness validation item. Security leaders should ask whether privileged disk modification activity is logged, retained, and reviewed; whether authorized maintenance workflows are documented; and whether incident responders can quickly determine if disk or boot-sector changes were legitimate. This also supports audit evidence for privileged activity monitoring and change-control controls on managed macOS fleets.
Technical view
For SOC and detection teams, validate monitoring for abnormal invocation of macOS disk utilities identified by the analytic: diskutil and asr, especially when used to modify partition tables or initialize raw devices. Where feasible, correlate these executions with elevated privileges and lower-level indicators such as IOKit system calls targeting disk headers or EFI boot sectors. Because ATT&CK provides no separate detection text and no relationship context for this analytic, local baselining is essential to distinguish approved imaging, repair, deployment, or administrative activity from suspicious use.
Likely telemetry
- macOS process execution telemetry for diskutil and asr
- Command-line arguments showing partition table modification or raw device initialization
- Privilege elevation or effective user context associated with the process
- Endpoint security or system telemetry that can expose IOKit interactions
- Signals involving disk headers, raw devices, or EFI boot sectors
Detection direction
- Baseline normal macOS administrative use of diskutil and asr across IT, deployment, and repair workflows before alerting broadly.
- Prioritize alerts where diskutil or asr activity occurs with elevated privileges and references raw devices, partition tables, disk headers, or EFI-related targets.
- Correlate process execution with device-management tickets or maintenance windows to reduce false positives from legitimate imaging or recovery operations.
- Validate whether endpoint telemetry can observe low-level IOKit activity; if not, document this as a coverage limitation rather than assuming detection exists.
- Tune for unusual hosts, users, timing, or command patterns because the ATT&CK object does not provide tactic mapping or relationship-driven threat context.
Mitigation priorities
- Restrict privileged disk administration to authorized administrators and managed workflows.
- Document approved macOS disk imaging, repair, and partition-management procedures so SOC teams can separate expected activity from anomalies.
- Ensure endpoint logging captures process execution, command line, user context, and privilege context for relevant macOS utilities.
- Review retention and escalation paths so potential boot-sector or raw-device modification can be investigated quickly.
- Test incident response procedures for confirming whether low-level disk changes were authorized and for recovering affected macOS systems if needed.
Analyst notes and limits
This is a detection analytic object, not a technique description. The strongest defensive use is as a coverage-validation prompt for macOS endpoint telemetry and privileged disk-change monitoring. The supplied ATT&CK fields identify macOS, diskutil, asr, partition tables, raw devices, IOKit, disk headers, EFI boot sectors, and elevated privileges; no adversary group, campaign, tactic, impact claim, or active exploitation context is supplied.
Official detection text and relationship context were not provided. Tactics are not specified. Conclusions about risk, alert severity, and false positives require local macOS fleet context, administrative workflows, endpoint telemetry capabilities, and change-management data.
Analytic 0829
Abnormal invocation of diskutil or asr that modifies partition tables or initializes raw devices. Monitor for IOKit system calls targeting disk headers or EFI boot sectors, correlated with elevated privileges.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bf16436fdb7c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0829Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.