Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)
On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as erase.(Citation: erase_cmd_cisco)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| BCR-08 | Backup | mitigates | T1561 | Disk Wipe |
Comments
Adversaries may wipe, overwrite, or corrupt raw disk data on cloud storage objects or other cloud resources. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from disk wipe attacks.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1561.002 | Disk Structure Wipe | 1 |
| T1561.001 | Disk Content Wipe | 1 |