MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1561.001: Disk Content Wipe

Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface. Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data. Adversaries have also been observed leveraging third-party drivers like RawDisk to directly access disk content. This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_impact: PT-CR-493: Disk_Wipe: Detection of attempts to partially or fully wipe a hard drive

Detection

IDDS0027Data source and componentDriver: Driver LoadDescription

Monitor for unusual kernel driver installation activity may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

IDDS0016Data source and componentDrive: Drive ModificationDescription

Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

IDDS0016Data source and componentDrive: Drive AccessDescription

Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Mitigation

IDM1053NameData BackupDescription

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.