Disk Wipe: Disk Structure Wipe

ID Name
T1561.001 Disk Content Wipe
T1561.002 Disk Structure Wipe

Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.[1][2][3][4][5] The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.

To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[1][2][3][4]

ID: T1561.002
Sub-technique of:  T1561
Tactic: Impact
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, SYSTEM, User, root
Impact Type: Availability
Version: 1.0
Created: 20 February 2020
Last Modified: 28 March 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
G0067 APT37

APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).[6][7]

G0082 APT38

APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.[8]

S0607 KillDisk

KillDisk overwrites the first sector of the Master Boot Record with "0x00".[9]

G0032 Lazarus Group

Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.[10][11]

S0364 RawDisk

RawDisk was used in Shamoon to help overwrite components of disk structure like the MBR and disk partitions.[3][5]

G0034 Sandworm Team

Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.[12][13]

S0140 Shamoon

Shamoon has been seen overwriting features of disk structure such as the MBR.[1][2][3][5]

S0380 StoneDrill

StoneDrill can wipe the master boot record of an infected computer.[14]

Mitigations

ID Mitigation Description
M1053 Data Backup

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[15] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0016 Drive Drive Access
Drive Modification
DS0027 Driver Driver Load
DS0009 Process Process Creation

Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\.\ notation.[16] Monitor for unusual kernel driver installation activity.

References