T1561 Disk Wipe Mappings

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1561 Disk Wipe
AC-6 Least Privilege Protects T1561 Disk Wipe
CM-2 Baseline Configuration Protects T1561 Disk Wipe
CP-10 System Recovery and Reconstitution Protects T1561 Disk Wipe
CP-2 Contingency Plan Protects T1561 Disk Wipe
CP-7 Alternate Processing Site Protects T1561 Disk Wipe
CP-9 System Backup Protects T1561 Disk Wipe
SI-3 Malicious Code Protection Protects T1561 Disk Wipe
SI-4 System Monitoring Protects T1561 Disk Wipe
SI-7 Software, Firmware, and Information Integrity Protects T1561 Disk Wipe
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561 Disk Wipe
aws_rds AWS RDS technique_scores T1561 Disk Wipe
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1561 Disk Wipe

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1561.001 Disk Content Wipe 13
T1561.002 Disk Structure Wipe 13