Description
Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)
On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as erase.(Citation: erase_cmd_cisco)
Platforms
Sub-Techniques (2)
Mitigations (1)
Data BackupM1053
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
References
- Cisco. (2022, August 16). erase - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
- Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.
Frequently Asked Questions
What is T1561 (Disk Wipe)?
T1561 is a MITRE ATT&CK technique named 'Disk Wipe'. It belongs to the Impact tactic(s). Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, advers...
How can T1561 be detected?
Detection of T1561 (Disk Wipe) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1561?
There are 1 documented mitigations for T1561. Key mitigations include: Data Backup.
Which threat groups use T1561?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.