Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-3 | Access Enforcement | Protects | T1561 | Disk Wipe |
AC-6 | Least Privilege | Protects | T1561 | Disk Wipe |
CM-2 | Baseline Configuration | Protects | T1561 | Disk Wipe |
CP-10 | System Recovery and Reconstitution | Protects | T1561 | Disk Wipe |
CP-2 | Contingency Plan | Protects | T1561 | Disk Wipe |
CP-7 | Alternate Processing Site | Protects | T1561 | Disk Wipe |
CP-9 | System Backup | Protects | T1561 | Disk Wipe |
SI-3 | Malicious Code Protection | Protects | T1561 | Disk Wipe |
SI-4 | System Monitoring | Protects | T1561 | Disk Wipe |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1561 | Disk Wipe |
azure_backup | Azure Backup | technique_scores | T1561 | Disk Wipe |
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1561.001 | Disk Content Wipe | 11 |
T1561.002 | Disk Structure Wipe | 11 |