Diskpart
Diskpart is a Windows command-line utility that is used to manage the computer’s drives, which includes disks, partitions, volumes and virtual hard disks.[1]
Adversaries may abuse Diskpart to perform discovery and destructive actions on a system’s storage. For example, adversaries have been observed using Diskpart to conduct Discovery techniques to enumerate disks and volumes to gather information about the host environment, and to execute commands such as clean all to remove partition information and overwrite data across disks, resulting in data destruction.[2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Diskpart can execute a disk partition script file, which attempts to mount a virtual hard disk.[3] Diskpart can also assign and mount virtual disks.[3] |
| Enterprise | T1561 | .002 | Disk Wipe: Disk Structure Wipe |
Diskpart can be used to delete a partition or a volume.[1] Diskpart can also be used to remove all partitions or volume formatting from the selected disk.[2] |
| Enterprise | T1083 | File and Directory Discovery |
If executed with elevated privileges, Diskpart can list all volumes, including virtual disks.[3] |
|
| Enterprise | T1222 | .001 | File and Directory Permissions Modification: Windows Permissions |
Diskpart can be used to display, set, or clear attributes of a disk or volume.[1] |
| Enterprise | T1082 | System Information Discovery |
Diskpart can show information about the selected disk, partition, volume, or virtual hard disk (VHD).[1] |
|