- Tactics
- Impact
- Platforms
- Linux, macOS, Windows, Network Devices
- Reference
- attack.mitre.org/techniques/T1561
Description
Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)
On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as erase.(Citation: erase_cmd_cisco)
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Impact tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1485 — Data Destruction
- T1486 — Data Encrypted for Impact
- T1489 — Service Stop
- T1490 — Inhibit System Recovery
- T1491 — Defacement
- T1495 — Firmware Corruption
- T1496 — Resource Hijacking
- T1498 — Network Denial of Service
- T1499 — Endpoint Denial of Service
- T1529 — System Shutdown/Reboot
- T1531 — Account Access Removal
- T1565 — Data Manipulation