Home/ATT&CK Technique/Disk Wipe
ATT&CK Technique

Disk Wipe

T1561 · impact

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR).

A complete wipe of all disk sectors may be attempted. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares. On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as erase.

LinuxmacOSWindowsNetwork Devices

Actors Using This

14
iranAgrius
north_koreaAndariel
russiaAPT28
iranAPT33
iranOilRig
north_koreaAPT38
russiaAwfulShred
russia_apt_sandwormBlackEnergy
russia_apt_sandwormCaddyWiper
russiaCadet Blizzard
north_koreaDarkSeoul Operators
russia_speaking_organized_cybercrimeDarkSide / BlackMatter
russia_aligned_destructive_operations_uncertain_sandworm_attributionDoubleZero
russia_apt_sandworm_adjacentHermeticWiper

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
execution earlier
T1559.002 · Dynamic Data Exchange ×6.07T1569 · System Services ×4.86
persistence earlier
T1037.003 · Network Logon Script ×8.50
privilege-escalation earlier
T1484.001 · Group Policy Modification ×7.08T1484 · Domain or Tenant Policy Modification ×5.31
impact same
T1561.001 · Disk Content Wipe ×8.50T1561.002 · Disk Structure Wipe ×8.50T1488 · Disk Content Wipe ×8.50T1529 · System Shutdown/Reboot ×7.97T1495 · Firmware Corruption ×7.85T1496 · Resource Hijacking ×5.67T1499.004 · Application or System Exploitation ×5.67T0828 · Loss of Productivity and Revenue ×5.31T0879 · Damage to Property ×5.31T1491.001 · Internal Defacement ×5.23

Mitigations

1
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1053Data Backup

Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents.

Regular Backup Scheduling
  • Use Case: Ensure timely and consistent backups of critical data.
  • Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.
Immutable Backups
  • Use Case: Protect backups from modification or deletion, even by attackers.
  • Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.
Backup Encryption
  • Use Case: Protect data integrity and confidentiality during transit and storage.
  • Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.
Offsite Backup Storage
  • Use Case: Ensure data availability during physical disasters or onsite breaches.
  • Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.
Backup Testing
  • Use Case: Validate backup integrity and ensure recoverability.
  • Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly.

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-03, AC-06, CM-02, CP-02, CP-07, CP-09, CP-10, SI-03, SI-04, SI-07
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin