Disk Wipe (T1561)
Tactic: Impact · Platforms: Linux, macOS, Windows, Network Devices
The interactive view maps 1 detection strategy, 1 mitigation to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.
On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as `erase`.