1. Home
  2. ATT&CK Techniques
  3. T1561 Disk Wipe

T1561 Disk Wipe Mappings

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)

On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as erase.(Citation: erase_cmd_cisco)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561 Disk Wipe
attribute.availability.variety.Destruction Destruction related-to T1561 Disk Wipe
attribute.availability.variety.Interruption Interruption related-to T1561 Disk Wipe
attribute.availability.variety.Loss Loss related-to T1561 Disk Wipe
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1561 Disk Wipe
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2).
References
  1. https://aws.amazon.com/cloudendure-disaster-recovery/
  2. https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.html
  3. https://aws.amazon.com/disaster-recovery/when-to-choose-aws-drs/?cloud-endure-blogs.sort-by=item.additionalFields.createdDate&cloud-endure-blogs.sort-order=desc
aws_rds AWS RDS technique_scores T1561 Disk Wipe
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Minimal because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.
References
  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
  2. https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/rds.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1561.002 Disk Structure Wipe 6
T1561.001 Disk Content Wipe 5