Technique on mitre.org

T1561: Disk Wipe

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.

On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as erase.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Subtechniques

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor for direct access read/write attempts using the `\\.\` notation. Monitor for unusual kernel driver installation activity.

ID	DS0016	Data source and component	Drive: Drive Modification	Description	Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

ID	DS0016	Data source and component	Drive: Drive Access	Description	Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

ID	DS0027	Data source and component	Driver: Driver Load	Description	Monitor for unusual kernel driver installation activity that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources.

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor for direct access read/write attempts using the `\\.\` notation. Monitor for unusual kernel driver installation activity.
DS0016	Drive: Drive Modification	Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.
DS0016	Drive: Drive Access	Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.
DS0027	Driver: Driver Load	Monitor for unusual kernel driver installation activity that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources.
DS0009	Process: Process Creation	Monitor newly executed processes that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Mitigation

ID	M1053	Name	Data Backup	Description	Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

ID	Name	Description
M1053	Data Backup	Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.