Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0883: Analytic 0883

Execution of destructive utilities (dd, shred, wipe) targeting block devices, or processes invoking syscalls to directly overwrite /dev/sd* or /dev/nvme* partitions. Correlate abnormal file write attempts with shell process execution and block device access.

EnterpriseAN0883AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting Linux activity that can directly damage or erase storage, such as destructive utilities or processes writing to block devices like disk partitions. For leaders, the practical issue is operational resilience: if this behavior is missed, affected systems may move quickly from compromise to data loss or service disruption. The value is in confirming whether SOC and incident response teams can see high-risk write activity against Linux block devices before it becomes a business-continuity event.

Executive priority

Prioritize this as a resilience and incident-readiness validation for Linux environments that support critical services. Executives should ask whether logging, alerting, escalation, and recovery procedures cover destructive disk activity, not just malware names or known indicators. This also supports audit and risk discussions around privileged activity monitoring, destructive-action detection, and evidence that critical Linux hosts are observable during a crisis.

Technical view

For SOC, detection engineering, and IR teams, validate telemetry for Linux process execution, shell activity, abnormal file write attempts, and access to block device paths such as /dev/sd* and /dev/nvme*. The supplied ATT&CK description specifically calls for correlating destructive utility execution with block device access. Because no official detection logic, tactics, or relationships are supplied, teams should treat this as a detection-design requirement rather than a complete rule: confirm what events are collected, how block device writes are represented, and whether privileged shell-driven activity is distinguishable from legitimate administration or maintenance.

Likely telemetry

  • Linux process execution events, including parent/child process context for shell-launched activity
  • Command-line or process metadata for utilities named in the ATT&CK description, where collected
  • File or device access telemetry showing writes to block device paths such as /dev/sd* and /dev/nvme*
  • Syscall or endpoint telemetry capable of showing direct overwrite activity against disk partitions
  • Privilege and user context associated with processes accessing block devices

Detection direction

  • Validate correlation between shell process execution, destructive utility invocation, abnormal write attempts, and block device access rather than relying on a single event type.
  • Tune for administrative false positives such as legitimate disk imaging, secure wipe, decommissioning, backup, or storage maintenance activity, using approved change windows and operator context where available.
  • Check blind spots on Linux hosts that lack command-line capture, endpoint telemetry, syscall visibility, or file/device access logging for /dev paths.
  • Prioritize alert routing for critical Linux servers because the same behavior can have different business impact depending on system role and recoverability.
  • Because no relationship context is supplied, do not assume linkage to a specific tactic, technique, campaign, or actor; use local incident context to determine severity.

Mitigation priorities

  • Inventory Linux systems where block device overwrite activity would materially affect operations and ensure they are covered by endpoint or host logging.
  • Restrict and monitor privileged access capable of writing to disk partitions, with reviewable administrative workflows for legitimate destructive maintenance tasks.
  • Establish response playbooks for suspected destructive disk activity, including rapid containment, preservation of available telemetry, and recovery decision points.
  • Validate backup and restoration readiness for critical Linux assets, since detection alone may not prevent destructive outcomes.
  • Use change management and compliance evidence to distinguish authorized disk wiping or maintenance from unplanned destructive behavior.
Analyst notes and limits

The object is a detection analytic for Linux and describes destructive utilities or direct overwrite behavior against block devices. No official detection text, tactics, labels, aliases, mitigations, or relationships were supplied, so this take focuses on defensive validation and operational decision value rather than specific ATT&CK mapping beyond the provided analytic context.

This assessment is constrained to the supplied ATT&CK fields and external reference. It does not establish active exploitation, actor attribution, prevalence, guaranteed detectability, or applicability beyond Linux. Local telemetry, administrative practices, asset criticality, and recovery requirements are required to set alert severity and tune false positives.

Official MITRE ATT&CK definition

Analytic 0883

Execution of destructive utilities (dd, shred, wipe) targeting block devices, or processes invoking syscalls to directly overwrite /dev/sd* or /dev/nvme* partitions. Correlate abnormal file write attempts with shell process execution and block device access.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
79ee1ebc5f05e53c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 79ee1ebc5f05…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0883
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use