AN0884: Analytic 0884
Abnormal invocation of diskutil or asr with destructive flags (eraseDisk, zeroDisk), or low-level IOKit calls that overwrite raw disk content. Detect correlation between elevated process execution and disk erase operations.
Analyst context for executives and security teams
This analytic is about spotting potentially destructive disk activity on macOS: unusual use of disk utilities such as diskutil or asr with erase-style flags, or low-level activity that overwrites raw disk content. For leaders, the practical value is resilience: if this behavior is missed, an incident can move quickly from compromise to endpoint data loss and operational disruption.
Executive priority
Prioritize this as a macOS destructive-action detection and response readiness question. Executives and risk owners should ask whether business-critical Mac fleets have telemetry, alerting, privilege controls, and recovery procedures sufficient to identify and contain disk erase activity before it becomes a continuity event. This is also useful evidence for incident response preparedness and control validation, but the supplied ATT&CK object does not provide attribution, active exploitation claims, or a specific campaign context.
Technical view
Validate whether the SOC can correlate elevated process execution with disk erase operations on macOS. Detection engineering should focus on abnormal invocation of diskutil or asr with destructive flags such as eraseDisk or zeroDisk, and on evidence of low-level IOKit activity associated with overwriting raw disk content. Because ATT&CK provides no separate official detection text and no relationship context for this analytic, local baselining is important: some administrative imaging, reimaging, decommissioning, or support workflows may legitimately use disk utilities.
Likely telemetry
- macOS process creation telemetry including command line arguments
- Privilege elevation or elevated execution context telemetry
- Endpoint security or EDR events for disk utility execution
- File, device, or raw disk access events where available
- macOS system logs relevant to disk management operations
Detection direction
- Create or validate alerts for diskutil or asr executions with destructive arguments such as eraseDisk or zeroDisk on macOS.
- Correlate destructive disk operations with elevated execution, unusual parent processes, unexpected users, or execution outside approved maintenance windows.
- Baseline legitimate IT workflows such as imaging, decommissioning, repair, and re-enrollment to reduce false positives.
- Confirm whether endpoint telemetry captures full command lines; without arguments, this analytic may lose much of its decision value.
- Investigate whether available macOS telemetry can expose low-level IOKit or raw disk overwrite behavior; this may be a blind spot in some logging stacks.
Mitigation priorities
- Restrict administrative privileges on macOS systems and validate who can perform disk erase or reimaging actions.
- Define approved maintenance, decommissioning, and imaging processes so SOC teams can distinguish authorized destructive disk operations from suspicious activity.
- Ensure critical macOS endpoints have tested backup and recovery procedures aligned to business continuity requirements.
- Confirm endpoint security tooling is deployed and configured to capture process command lines and elevated execution context on macOS.
- Document alert handling and escalation paths for suspected destructive disk activity so incident responders can act quickly.
Analyst notes and limits
This Glexia take is based on ATT&CK analytic AN0884 only. The object is a detection analytic for macOS describing abnormal diskutil or asr use with destructive flags, or low-level IOKit calls that overwrite raw disk content. No tactics, relationships, aliases, labels, or separate official detection content were supplied, so the emphasis is on defensive validation rather than threat attribution or technique mapping.
The supplied object does not identify related ATT&CK techniques, threat groups, software, campaigns, data components, or mitigations. It also does not provide an official detection query. Local macOS fleet architecture, endpoint logging capability, administrative workflows, and backup posture are required to determine actual detection coverage and response priority.
Analytic 0884
Abnormal invocation of diskutil or asr with destructive flags (eraseDisk, zeroDisk), or low-level IOKit calls that overwrite raw disk content. Detect correlation between elevated process execution and disk erase operations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 693cf88857d9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0884Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.