1. Home
  2. ATT&CK Techniques
  3. T1561 Disk Wipe

T1561 Disk Wipe

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)

On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as erase.(Citation: erase_cmd_cisco)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-03.01 Alternative resilience mechanisms Mitigates T1561 Disk Wipe
Comments
This diagnostic statement protects against Disk Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
    PR.DS-11.01 Data backup and replication Mitigates T1561 Disk Wipe
    Comments
    This diagnostic statement protects adversaries that can wipe/corrupt raw disk data on systems. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite.
    References
      ID.IM-02.06 Accurate data recovery Mitigates T1561 Disk Wipe
      Comments
      This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to corrupt raw disk data on systems or within networks.
      References
        PR.IR-04.02 Availability and capacity management Mitigates T1561 Disk Wipe
        Comments
        This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to render stored data on local and remote drives via encryption. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information.
        References

          NIST 800-53 Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          CP-07 Alternate Processing Site mitigates T1561 Disk Wipe
          CP-10 System Recovery and Reconstitution mitigates T1561 Disk Wipe
          CP-02 Contingency Plan mitigates T1561 Disk Wipe
          CP-09 System Backup mitigates T1561 Disk Wipe
          SI-03 Malicious Code Protection mitigates T1561 Disk Wipe
          SI-07 Software, Firmware, and Information Integrity mitigates T1561 Disk Wipe
          CM-02 Baseline Configuration mitigates T1561 Disk Wipe
          SI-04 System Monitoring mitigates T1561 Disk Wipe
          AC-03 Access Enforcement mitigates T1561 Disk Wipe
          AC-06 Least Privilege mitigates T1561 Disk Wipe

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1561 Disk Wipe
          action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561 Disk Wipe
          attribute.availability.variety.Destruction Destruction related-to T1561 Disk Wipe
          attribute.availability.variety.Interruption Interruption related-to T1561 Disk Wipe
          attribute.availability.variety.Loss Loss related-to T1561 Disk Wipe

          Azure Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          azure_backup Azure Backup technique_scores T1561 Disk Wipe
          Comments
          Data backups provide a significant response to disk wipe attacks by enabling the restoration of data from backup.
          References
          1. https://learn.microsoft.com/en-us/azure/backup/backup-overview

          GCP Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          backup_and_dr_actifiogo Backup and DR-Actifio GO technique_scores T1561 Disk Wipe
          Comments
          Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to a Disk Wipe since an organization could restore wiped data back to the latest backup.
          References
          1. ['https://cloud.google.com/backup-disaster-recovery/docs/configuration/cbb'
          2. 'https://cloud.google.com/backup-disaster-recovery']

          AWS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1561 Disk Wipe
          Comments
          AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2).
          References
          1. https://aws.amazon.com/cloudendure-disaster-recovery/
          2. https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.html
          3. https://aws.amazon.com/disaster-recovery/when-to-choose-aws-drs/?cloud-endure-blogs.sort-by=item.additionalFields.createdDate&cloud-endure-blogs.sort-order=desc
          aws_rds AWS RDS technique_scores T1561 Disk Wipe
          Comments
          AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Minimal because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.
          References
          1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
          2. https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/rds.html

          ATT&CK Subtechniques

          Technique ID Technique Name Number of Mappings
          T1561.002 Disk Structure Wipe 21
          T1561.001 Disk Content Wipe 20