AN0882: Analytic 0882

Processes attempting raw disk access via \\.\PhysicalDrive paths, abnormal file I/O to MBR/boot sectors, or loading of third-party drivers (e.g., RawDisk) that enable disk overwrite. Correlate process creation, privilege usage, and disk modification events within a short time window.

EnterpriseAN0882AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because raw disk and boot-sector modification on Windows is a high-consequence behavior: if a process can directly write to physical drives or load a driver that enables disk overwrite, normal file-level controls may not be the decisive evidence. Leaders should treat this as a validation point for destructive or boot-impacting activity readiness, not as a standalone claim of an incident.

Executive priority

Prioritize this for resilience and incident decision-making where Windows systems support critical operations. The business question is whether the SOC can quickly prove which process, privilege use, driver activity, and disk modification occurred in the same short window. That evidence can determine containment urgency, recovery scope, and whether current endpoint logging supports audit and incident response needs.

Technical view

For Windows detection engineering, validate correlation across process creation, privilege usage, raw access to \\.\PhysicalDrive paths, abnormal I/O to MBR or boot sectors, and loading of third-party drivers such as RawDisk that can enable disk overwrite. Since no official detection logic is supplied, teams should build and test local analytics around short-window correlation rather than relying on any single event type.

Likely telemetry

Windows process creation telemetry with command line and parent/child context
File or device I/O evidence involving \\.\PhysicalDrive paths
Disk modification telemetry for MBR or boot-sector activity where available
Driver load events, especially third-party drivers associated with raw disk access
Privilege usage events tied to the same process or logon session

Detection direction

Confirm that Windows telemetry can observe raw physical drive access, not only normal file paths.
Correlate process creation, privilege use, driver loading, and disk modification within a short time window as described by the analytic.
Tune for legitimate administrative, backup, forensic, disk management, and virtualization tools that may perform low-level disk operations.
Investigate processes that combine unusual lineage, elevated privileges, raw disk paths, and boot-sector or MBR writes.
Document blind spots where endpoint tooling does not expose device I/O or driver load detail.

Mitigation priorities

Restrict administrative privileges and driver-loading capability to approved roles and systems.
Maintain an approved inventory of tools and drivers expected to perform raw disk or boot-sector operations.
Harden endpoint controls to limit unauthorized driver loading and low-level disk access where feasible.
Ensure backup and recovery plans cover Windows systems where boot-sector or disk overwrite activity would affect continuity.
Use tabletop or detection validation exercises to confirm SOC and IR teams can triage correlated raw disk access events quickly.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows with no tactic specified and no relationship context. The official description provides the core analytic concept: correlate raw physical drive access, abnormal MBR or boot-sector I/O, third-party driver loading, process creation, and privilege usage in a short time window.

No official detection query, data component list, mapped technique, threat actor relationship, or mitigation relationship was supplied. Local telemetry availability and approved administrative tooling will determine practical fidelity and false-positive handling.

Official MITRE ATT&CK definition

Analytic 0882

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 80233c2810c6744e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`80233c2810c6…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0882
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use