Home
ATT&CK Techniques
T1561 Disk Wipe

T1561 Disk Wipe

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-3	Access Enforcement	Protects	T1561	Disk Wipe
AC-6	Least Privilege	Protects	T1561	Disk Wipe
CM-2	Baseline Configuration	Protects	T1561	Disk Wipe
CP-10	System Recovery and Reconstitution	Protects	T1561	Disk Wipe
CP-2	Contingency Plan	Protects	T1561	Disk Wipe
CP-7	Alternate Processing Site	Protects	T1561	Disk Wipe
CP-9	System Backup	Protects	T1561	Disk Wipe
SI-3	Malicious Code Protection	Protects	T1561	Disk Wipe
SI-4	System Monitoring	Protects	T1561	Disk Wipe
SI-7	Software, Firmware, and Information Integrity	Protects	T1561	Disk Wipe

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
azure_backup	Azure Backup	technique_scores	T1561	Disk Wipe	Comments Data backups provide a significant response to disk wipe attacks by enabling the restoration of data from backup. References https://docs.microsoft.com/en-us/azure/backup/backup-overview

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1561.001	Disk Content Wipe	11
T1561.002	Disk Structure Wipe	11