RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.
|Enterprise||T1485||Data Destruction||RawDisk was used in Shamoon to write to protected system locations such as the MBR and disk partitions in an effort to destroy data.  |
|Enterprise||T1488||Disk Content Wipe||RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content. |
|Enterprise||T1487||Disk Structure Wipe||RawDisk was used in Shamoon to help overwrite components of disk structure like the MBR and disk partitions.  |
Groups That Use This Software
|G0032||Lazarus Group|| |
- Edwards, M. (2007, March 14). EldoS Provides Raw Disk Access for Vista and XP. Retrieved March 26, 2019.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.