T1561

Disk Wipe

Adversaries may wipe or corrupt raw disk data on specific systems or across a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite arbitrary portions of disk data or target critical disk structures such as the Master Boot Record (MBR) or Volume Boot Record (VBR). A complete wipe of all disk sectors may be attempted using built-in OS utilities, third-party tools, or custom malware. Real-world destructive campaigns using this technique include Shamoon (Saudi Aramco, 2012), WhisperGate (Ukraine, 2022), HermeticWiper (Ukraine, 2022), and Destover (Sony, 2014). Wiper malware frequently chains multiple TA0040 techniques: disabling VSS/recovery first, then overwriting disk content, then corrupting disk structure, to maximize recovery difficulty.

Microsoft Sentinel / Defender

kusto

let KnownWipingTools = dynamic([
  "dd.exe", "diskpart.exe", "format.exe", "cipher.exe", "sdelete.exe",
  "wipe.exe", "eraser.exe", "nwipe.exe", "hdderase.exe", "killdisk.exe",
  "bcdedit.exe", "vssadmin.exe", "wevtutil.exe"
]);
let RawDiskPatterns = dynamic([
  "\\\\.\\PhysicalDrive", "\\\\.\\HarddiskVolume", "\\\\.\\GLOBALROOT",
  "if=/dev/zero", "if=/dev/random", "if=/dev/urandom",
  "of=/dev/sd", "of=/dev/hd", "of=/dev/nvme"
]);
let WipeCommandPatterns = dynamic([
  "clean all", "/p:1", "/p:2", "/p:3", "/p:4", "/p:5", "/p:6", "/p:7",
  "cipher /w", "cipher /W", "-z ", "-zd ", "-c ",
  "delete shadows", "shadowcopy delete", "Delete Shadows /All",
  "recoveryenabled No", "recoveryenabled no",
  "bcdedit /set", "wevtutil cl ", "wevtutil.exe cl"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName in~ (KnownWipingTools) and ProcessCommandLine has_any (WipeCommandPatterns))
    or ProcessCommandLine has_any (RawDiskPatterns)
| extend RawDiskAccess = ProcessCommandLine has_any ("\\\\.\\PhysicalDrive", "\\\\.\\HarddiskVolume", "if=/dev/zero", "if=/dev/random")
| extend DiskPartWipe = FileName =~ "diskpart.exe" and ProcessCommandLine has "clean"
| extend FormatSecureWipe = FileName =~ "format.exe" and ProcessCommandLine matches regex @"/p:[1-9]"
| extend CipherWipe = FileName =~ "cipher.exe" and (ProcessCommandLine has "/w" or ProcessCommandLine has "/W")
| extend SDeleteWipe = FileName =~ "sdelete.exe" and ProcessCommandLine has_any ("-z", "-zd", "-c", "/z", "/c")
| extend VSSDelete = ProcessCommandLine has_any ("delete shadows", "shadowcopy delete", "Delete Shadows /All", "Delete Shadows /all")
| extend BootRecoveryDisable = FileName =~ "bcdedit.exe" and ProcessCommandLine has "recoveryenabled"
| extend AuditLogClear = FileName =~ "wevtutil.exe" and ProcessCommandLine has_any ("cl ", "clear-log")
| extend WipeScore = toint(RawDiskAccess) + toint(DiskPartWipe) + toint(FormatSecureWipe) + toint(CipherWipe) + toint(SDeleteWipe) + toint(VSSDelete) + toint(BootRecoveryDisable) + toint(AuditLogClear)
| where WipeScore > 0
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RawDiskAccess, DiskPartWipe, FormatSecureWipe, CipherWipe, SDeleteWipe,
         VSSDelete, BootRecoveryDisable, AuditLogClear, WipeScore
| sort by WipeScore desc, Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT operations using diskpart clean or format /p: for decommissioning hardware before asset disposal or reimaging
Security teams running SDelete or cipher /w as part of data sanitization workflows on endpoints being retired
Backup and disaster recovery software (Acronis, Veeam) that accesses raw PhysicalDrive handles during bare-metal restore operations
Forensic tools (FTK Imager, dd for Windows) used by incident responders that access \\PhysicalDrive paths for imaging
System administrators using vssadmin delete shadows as part of scheduled disk space reclamation on servers with large VSS allocations

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\dd.exe" OR Image="*\\diskpart.exe" OR Image="*\\format.exe" OR Image="*\\cipher.exe"
   OR Image="*\\sdelete.exe" OR Image="*\\wipe.exe" OR Image="*\\eraser.exe" OR Image="*\\killdisk.exe"
   OR Image="*\\bcdedit.exe" OR Image="*\\vssadmin.exe" OR Image="*\\wevtutil.exe"
   OR CommandLine="*\\\\.\\PhysicalDrive*" OR CommandLine="*\\\\.\\HarddiskVolume*"
   OR CommandLine="*if=/dev/zero*" OR CommandLine="*if=/dev/random*")
| eval CommandLineLower=lower(CommandLine)
| eval RawDiskAccess=if(match(CommandLineLower, "(\\\\.\\\\physicaldrive|\\\\.\\\\harddiskvolume|if=/dev/zero|if=/dev/random|if=/dev/urandom|of=/dev/sd|of=/dev/hd)"), 1, 0)
| eval DiskPartWipe=if(match(Image, "diskpart\.exe$") AND match(CommandLineLower, "clean"), 1, 0)
| eval FormatSecureWipe=if(match(Image, "format\.exe$") AND match(CommandLineLower, "/p:[1-9]"), 1, 0)
| eval CipherWipe=if(match(Image, "cipher\.exe$") AND match(CommandLineLower, "/w"), 1, 0)
| eval SDeleteWipe=if(match(Image, "sdelete\.exe$") AND match(CommandLineLower, "(-z|-zd|-c|/z|/c)"), 1, 0)
| eval VSSDelete=if(match(CommandLineLower, "(delete shadows|shadowcopy delete|delete shadows /all)"), 1, 0)
| eval BootRecoveryDisable=if(match(Image, "bcdedit\.exe$") AND match(CommandLineLower, "recoveryenabled"), 1, 0)
| eval AuditLogClear=if(match(Image, "wevtutil\.exe$") AND match(CommandLineLower, "(\\scl\\s|\\sclear-log|\\s/cl)"), 1, 0)
| eval WipeScore=RawDiskAccess + DiskPartWipe + FormatSecureWipe + CipherWipe + SDeleteWipe + VSSDelete + BootRecoveryDisable + AuditLogClear
| where WipeScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        RawDiskAccess, DiskPartWipe, FormatSecureWipe, CipherWipe, SDeleteWipe,
        VSSDelete, BootRecoveryDisable, AuditLogClear, WipeScore
| sort - WipeScore - _time

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT operations using diskpart clean or format /p: for decommissioning hardware before asset disposal or reimaging
Security teams running SDelete or cipher /w as part of data sanitization workflows on endpoints being retired
Backup and disaster recovery software (Acronis, Veeam) accessing raw PhysicalDrive handles during bare-metal restore
Forensic investigators using dd or FTK Imager for disk imaging that access \\PhysicalDrive paths
Scheduled vssadmin delete shadows jobs on file/database servers managing VSS snapshot storage consumption

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  (
    process.name in~ ("dd.exe", "diskpart.exe", "format.exe", "cipher.exe", "sdelete.exe",
                      "wipe.exe", "eraser.exe", "nwipe.exe", "hdderase.exe", "killdisk.exe",
                      "bcdedit.exe", "vssadmin.exe", "wevtutil.exe")
    and (
      process.command_line like~ "*clean all*" or
      process.command_line like~ "*/p:1*" or process.command_line like~ "*/p:2*" or
      process.command_line like~ "*/p:3*" or process.command_line like~ "*/p:4*" or
      process.command_line like~ "*/p:5*" or process.command_line like~ "*/p:6*" or
      process.command_line like~ "*/p:7*" or
      process.command_line like~ "*/w *" or process.command_line like~ "*/W *" or
      process.command_line like~ "* -z *" or process.command_line like~ "* -zd *" or
      process.command_line like~ "*delete shadows*" or
      process.command_line like~ "*shadowcopy delete*" or
      process.command_line like~ "*Delete Shadows /All*" or
      process.command_line like~ "*recoveryenabled*" or
      process.command_line like~ "* cl *" or
      process.command_line like~ "*clear-log*"
    )
  ) or
  process.command_line like~ "*PhysicalDrive*" or
  process.command_line like~ "*HarddiskVolume*" or
  process.command_line like~ "*GLOBALROOT*" or
  process.command_line like~ "*if=/dev/zero*" or
  process.command_line like~ "*if=/dev/random*" or
  process.command_line like~ "*if=/dev/urandom*" or
  process.command_line like~ "*of=/dev/sd*" or
  process.command_line like~ "*of=/dev/hd*" or
  process.command_line like~ "*of=/dev/nvme*"
)

critical severity high confidence

Data Sources

Elastic Endpoint Security agent Winlogbeat with Sysmon module Elastic Agent with Windows integration

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

IT administrators using diskpart or format.exe for legitimate disk initialization, partitioning, or OS deployment tasks
Security or compliance teams running sdelete or cipher /w for NIST 800-88 data sanitization on decommissioned hardware
Backup agents (Veeam, Commvault, Windows Server Backup) invoking vssadmin to delete shadow copies as part of normal retention rotation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  sourceip AS "Source IP",
  username AS "Username",
  "Process Name" AS "Process",
  "Command" AS "Command Line",
  CASE WHEN LOWER("Command") ILIKE '%physicaldrive%'
            OR LOWER("Command") ILIKE '%harddiskvolume%'
            OR LOWER("Command") ILIKE '%if=/dev/zero%'
            OR LOWER("Command") ILIKE '%if=/dev/random%'
            OR LOWER("Command") ILIKE '%if=/dev/urandom%'
       THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") ILIKE '%diskpart.exe%'
            AND LOWER("Command") ILIKE '%clean%'
       THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") ILIKE '%format.exe%'
            AND "Command" ILIKE '%/p:_%'
       THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") ILIKE '%cipher.exe%'
            AND LOWER("Command") ILIKE '%/w%'
       THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") ILIKE '%sdelete.exe%'
            AND (LOWER("Command") ILIKE '%-z %'
              OR LOWER("Command") ILIKE '%-zd %'
              OR LOWER("Command") ILIKE '%-c %')
       THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Command") ILIKE '%delete shadows%'
            OR LOWER("Command") ILIKE '%shadowcopy delete%'
       THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") ILIKE '%bcdedit.exe%'
            AND LOWER("Command") ILIKE '%recoveryenabled%'
       THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") ILIKE '%wevtutil.exe%'
            AND (LOWER("Command") ILIKE '% cl %'
              OR LOWER("Command") ILIKE '%clear-log%')
       THEN 1 ELSE 0 END AS WipeScore
FROM events
WHERE starttime > NOW() - 86400000
  AND LOGSOURCETYPEID IN (12, 14, 15, 94, 260, 352)
  AND (
    LOWER("Process Name") ILIKE '%diskpart.exe%' OR
    LOWER("Process Name") ILIKE '%format.exe%' OR
    LOWER("Process Name") ILIKE '%cipher.exe%' OR
    LOWER("Process Name") ILIKE '%sdelete.exe%' OR
    LOWER("Process Name") ILIKE '%killdisk.exe%' OR
    LOWER("Process Name") ILIKE '%bcdedit.exe%' OR
    LOWER("Process Name") ILIKE '%vssadmin.exe%' OR
    LOWER("Process Name") ILIKE '%wevtutil.exe%' OR
    LOWER("Process Name") ILIKE '%dd.exe%' OR
    LOWER("Command") ILIKE '%physicaldrive%' OR
    LOWER("Command") ILIKE '%harddiskvolume%' OR
    LOWER("Command") ILIKE '%if=/dev/zero%' OR
    LOWER("Command") ILIKE '%if=/dev/random%' OR
    LOWER("Command") ILIKE '%of=/dev/sd%'
  )
HAVING WipeScore > 0
ORDER BY WipeScore DESC, starttime DESC

critical severity medium confidence

Data Sources

QRadar Microsoft Windows Security Event Log DSM QRadar Microsoft Windows Sysmon DSM QRadar Universal DSM for Windows endpoint agents

Required Tables

events

False Positives

System administrators running diskpart or format /p for authorized disk provisioning or secure decommission of storage assets
Enterprise backup solutions (Acronis, Veeam, NetBackup) invoking vssadmin delete shadows for VSS snapshot retention management
Penetration testers or red team operators using disk sanitization tools during scoped and authorized assessments

Sumo Logic CSE

sql

(_index=sec_record_process OR _sourceCategory=*Sysmon* OR _sourceCategory=*WinEventLog*)
| where !isEmpty(commandLine)
| where baseImage in ("dd.exe", "diskpart.exe", "format.exe", "cipher.exe", "sdelete.exe",
    "wipe.exe", "eraser.exe", "nwipe.exe", "hdderase.exe", "killdisk.exe",
    "bcdedit.exe", "vssadmin.exe", "wevtutil.exe")
  OR commandLine matches "(?i).*(PhysicalDrive|HarddiskVolume|GLOBALROOT|if=/dev/zero|if=/dev/random|if=/dev/urandom|of=/dev/sd|of=/dev/hd|of=/dev/nvme).*"
| eval cmdLow = toLowerCase(commandLine)
| eval procLow = toLowerCase(baseImage)
| eval RawDiskAccess = if(cmdLow matches ".*(physicaldrive|harddiskvolume|globalroot|if=/dev/zero|if=/dev/random|if=/dev/urandom|of=/dev/sd|of=/dev/hd|of=/dev/nvme).*", 1, 0)
| eval DiskPartWipe = if(procLow = "diskpart.exe" and cmdLow matches ".*clean.*", 1, 0)
| eval FormatSecureWipe = if(procLow = "format.exe" and cmdLow matches ".*/p:[1-9].*", 1, 0)
| eval CipherWipe = if(procLow = "cipher.exe" and cmdLow matches ".*/[wW].*", 1, 0)
| eval SDeleteWipe = if(procLow = "sdelete.exe" and cmdLow matches ".*(-z\b|-zd\b|-c\b|/z\b|/c\b).*", 1, 0)
| eval VSSDelete = if(cmdLow matches ".*(delete shadows|shadowcopy delete|delete shadows /all).*", 1, 0)
| eval BootRecoveryDisable = if(procLow = "bcdedit.exe" and cmdLow matches ".*recoveryenabled.*", 1, 0)
| eval AuditLogClear = if(procLow = "wevtutil.exe" and cmdLow matches ".*( cl |clear-log|/cl).*", 1, 0)
| eval WipeScore = RawDiskAccess + DiskPartWipe + FormatSecureWipe + CipherWipe + SDeleteWipe + VSSDelete + BootRecoveryDisable + AuditLogClear
| where WipeScore > 0
| fields _messageTime, srcDevice_hostname, user_username, baseImage, commandLine,
         parentBaseImage, RawDiskAccess, DiskPartWipe, FormatSecureWipe, CipherWipe,
         SDeleteWipe, VSSDelete, BootRecoveryDisable, AuditLogClear, WipeScore
| sort by WipeScore desc, _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise (sec_record_process normalized schema) Windows Sysmon via Sumo Logic Installed Collector Windows Security Event Log via Installed Collector

Required Tables

sec_record_process _sourceCategory=*Sysmon* _sourceCategory=*WinEventLog*

False Positives

IT operations staff using diskpart or format.exe during provisioning, re-imaging, or authorized disk turnover workflows
Scheduled backup agents removing stale VSS shadow copies via vssadmin delete shadows as part of defined retention policy
Forensic or incident response teams accessing raw disk paths during authorized evidence acquisition or triage activities

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| FileName = /(?i)(dd\.exe|diskpart\.exe|format\.exe|cipher\.exe|sdelete\.exe|wipe\.exe|eraser\.exe|nwipe\.exe|hdderase\.exe|killdisk\.exe|bcdedit\.exe|vssadmin\.exe|wevtutil\.exe)/
  OR CommandLine = /(?i)(PhysicalDrive|HarddiskVolume|GLOBALROOT|if=\/dev\/(zero|random|urandom)|of=\/dev\/(sd|hd|nvme))/
| RawDiskAccess := CommandLine match {
    /(?i)(PhysicalDrive|HarddiskVolume|GLOBALROOT|if=\/dev\/(zero|random|urandom)|of=\/dev\/(sd|hd|nvme))/ => 1;
    * => 0
  }
| DiskPartWipe := case {
    FileName = /(?i)diskpart\.exe/ AND CommandLine = /(?i)clean/ => 1;
    * => 0
  }
| FormatSecureWipe := case {
    FileName = /(?i)format\.exe/ AND CommandLine = /\/p:[1-9]/ => 1;
    * => 0
  }
| CipherWipe := case {
    FileName = /(?i)cipher\.exe/ AND CommandLine = /(?i)\/[wW]/ => 1;
    * => 0
  }
| SDeleteWipe := case {
    FileName = /(?i)sdelete\.exe/ AND CommandLine = /(?i)(\s-z\b|\s-zd\b|\s-c\b|\/z\b|\/c\b)/ => 1;
    * => 0
  }
| VSSDelete := case {
    CommandLine = /(?i)(delete\s+shadows|shadowcopy\s+delete|delete\s+shadows\s+\/all)/ => 1;
    * => 0
  }
| BootRecoveryDisable := case {
    FileName = /(?i)bcdedit\.exe/ AND CommandLine = /(?i)recoveryenabled/ => 1;
    * => 0
  }
| AuditLogClear := case {
    FileName = /(?i)wevtutil\.exe/ AND CommandLine = /(?i)(\scl\s|clear-log|\/cl\b)/ => 1;
    * => 0
  }
| WipeScore := RawDiskAccess + DiskPartWipe + FormatSecureWipe + CipherWipe + SDeleteWipe + VSSDelete + BootRecoveryDisable + AuditLogClear
| WipeScore > 0
| select([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentProcessId,
          RawDiskAccess, DiskPartWipe, FormatSecureWipe, CipherWipe, SDeleteWipe,
          VSSDelete, BootRecoveryDisable, AuditLogClear, WipeScore])
| sort(WipeScore, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2 sensor events) Falcon Data Replicator (FDR) streaming telemetry to LogScale/Humio

Required Tables

ProcessRollup2

False Positives

Systems administrators using diskpart or format.exe during legitimate disk provisioning, server build-out, or OS migration workflows
Backup software or snapshot management agents invoking vssadmin to delete old shadow copies per configured retention policy
Authorized red team or penetration testing using SDelete, KillDisk, or dd.exe in scoped assessment environments with change-control approval

Last updated: 2026-04-20 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1561 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Disk Wipe

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Impact

Popular Detections