Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have also been observed leveraging third-party drivers like RawDisk to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1561.001 | Disk Content Wipe |
Comments
This diagnostic statement protects against Disk Content Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1561.001 | Disk Content Wipe |
Comments
This diagnostic statement protects adversaries that can wipe/corrupt contents of storage device data. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite.
References
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1561.001 | Disk Content Wipe |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to erase content found on storage devices on systems or within networks.
References
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1561.001 | Disk Content Wipe |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to erase contents of storage devices on systems and networks. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CP-07 | Alternate Processing Site | mitigates | T1561.001 | Disk Content Wipe | |
| CP-10 | System Recovery and Reconstitution | mitigates | T1561.001 | Disk Content Wipe | |
| CP-02 | Contingency Plan | mitigates | T1561.001 | Disk Content Wipe | |
| CP-09 | System Backup | mitigates | T1561.001 | Disk Content Wipe | |
| SI-03 | Malicious Code Protection | mitigates | T1561.001 | Disk Content Wipe | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1561.001 | Disk Content Wipe | |
| CM-02 | Baseline Configuration | mitigates | T1561.001 | Disk Content Wipe | |
| SI-04 | System Monitoring | mitigates | T1561.001 | Disk Content Wipe | |
| AC-03 | Access Enforcement | mitigates | T1561.001 | Disk Content Wipe | |
| AC-06 | Least Privilege | mitigates | T1561.001 | Disk Content Wipe |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1561.001 | Disk Content Wipe | |
| attribute.availability.variety.Destruction | Destruction | related-to | T1561.001 | Disk Content Wipe | |
| attribute.availability.variety.Loss | Loss | related-to | T1561.001 | Disk Content Wipe |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_backup | Azure Backup | technique_scores | T1561.001 | Disk Content Wipe |
Comments
Data backups provide a significant response to disk content wipe attacks by enabling the restoration of data from backup.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_cloudendure_disaster_recovery | AWS CloudEndure Disaster Recovery | technique_scores | T1561.001 | Disk Content Wipe |
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
References
|
| aws_rds | AWS RDS | technique_scores | T1561.001 | Disk Content Wipe |
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.
References
|