Disk Wipe

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[1]

ID: T1561
Sub-techniques:  T1561.001, T1561.002
Tactic: Impact
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, SYSTEM, User, root
Data Sources: Command: Command Execution, Drive: Drive Access, Drive: Drive Modification, Driver: Driver Load, Process: Process Creation
Impact Type: Availability
Version: 1.0
Created: 20 February 2020
Last Modified: 28 March 2020


ID Mitigation Description
M1053 Data Backup

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[2] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.


Look for attempts to read/write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\.\ notation.[3] Monitor for unusual kernel driver installation activity.