ID | Name |
---|---|
T1561.001 | Disk Content Wipe |
T1561.002 | Disk Structure Wipe |
Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.
Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.[1][2][3][4][5] The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.
On a network devices, adversaries may reformat the file system using Network Device CLI commands such as format
.[6]
To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[1][2][3][4]
ID | Name | Description |
---|---|---|
G0067 | APT37 |
APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).[7][8] |
G0082 | APT38 |
APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.[9] |
S1136 | BFG Agonizer |
BFG Agonizer retrieves a device handle to |
S0693 | CaddyWiper |
CaddyWiper has the ability to destroy information about a physical drive's partitions including the MBR, GPT, and partition entries.[11][12] |
S1134 | DEADWOOD |
DEADWOOD opens and writes zeroes to the first 512 bytes of each drive, deleting the MBR. DEADWOOD then sends the control code |
G1003 | Ember Bear |
Ember Bear conducted destructive operations against victims, including disk structure wiping, via the WhisperGate malware in Ukraine.[14] |
S0697 | HermeticWiper |
HermeticWiper has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives.[15][16][17][18] |
C0038 | HomeLand Justice |
During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.[19][20] |
S0607 | KillDisk |
KillDisk overwrites the first sector of the Master Boot Record with "0x00".[21] |
G0032 | Lazarus Group |
Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.[22][23] |
S1135 | MultiLayer Wiper |
MultiLayer Wiper opens a handle to |
S0364 | RawDisk |
RawDisk was used in Shamoon to help overwrite components of disk structure like the MBR and disk partitions.[3][5] |
G0034 | Sandworm Team |
Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.[24][25] |
S0140 | Shamoon |
Shamoon has been seen overwriting features of disk structure such as the MBR.[1][2][3][5] |
S0380 | StoneDrill |
StoneDrill can wipe the master boot record of an infected computer.[26] |
S0689 | WhisperGate |
WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.[27][28][29][30][31][32] |
S1151 | ZeroCleare |
ZeroCleare can corrupt the file system and wipe the system drive on targeted hosts.[33][19][34] |
ID | Mitigation | Description |
---|---|---|
M1053 | Data Backup |
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[35] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. |
DS0016 | Drive | Drive Access |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
Drive Modification |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
DS0027 | Driver | Driver Load |
Monitor for unusual kernel driver installation activity may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. |
DS0009 | Process | Process Creation |
Monitor newly executed processes that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. |