T1561.001 Disk Content Wipe Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1561.001 — Disk Content Wipe
// Branch 1: cipher.exe used to wipe free space (MegaCortex, Nearest Neighbor/Volexity)
let CipherWipe = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cipher.exe"
| where ProcessCommandLine has_any ("/w", "-w")
| extend DetectionBranch = "cipher.exe freespace wipe";
// Branch 2: Windows built-in tools / LOLBins writing to raw disk device paths
let RawDiskAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "\\\\.\\PhysicalDrive", "\\\\.\\GLOBALROOT",
    "\\\\.\\HarddiskVolume", "\\\\.\\Disk",
    "IOCTL_DISK_FORMAT_TRACKS", "FSCTL_DISMOUNT_VOLUME"
  )
| extend DetectionBranch = "raw disk device access in command line";
// Branch 3: Known destructive wiper driver names loaded (RawDisk, HermeticWiper drivers)
let WiperDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName has_any (
    "eltrawdrv.sys", "rawdisk.sys", "epmntdrv.sys",
    "DRV_X64.sys", "DRV_X86.sys", "DRV_XP_X64.sys", "DRV_XP_X86.sys"
  )
| extend DetectionBranch = "wiper kernel driver loaded"
| project Timestamp, DeviceName, AccountName,
    FileName, FolderPath,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionBranch;
// Branch 4: New service/driver installed with suspicious wiper-related names
let WiperDriverInstall = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "HKLM\\SYSTEM\\CurrentControlSet\\Services"
| where RegistryValueData has_any (
    "rawdisk", "eltraw", "epmntdrv", "DRV_X64", "DRV_X86"
  )
| extend DetectionBranch = "wiper driver service registry key created"
| project Timestamp, DeviceName, AccountName,
    RegistryKey, RegistryValueData,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionBranch;
// Branch 5: dd.exe (Windows port) or wmic diskdrive writing large zero/random blocks
let DDToolUsage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "dd.exe"
| where ProcessCommandLine has_any (
    "if=/dev/zero", "if=/dev/urandom", "if=\\\\.\\zero",
    "of=\\\\.\\PhysicalDrive", "of=/dev/sd", "bs="
  )
| extend DetectionBranch = "dd tool disk overwrite";
// Union all Windows branches
union kind=outer
  (CipherWipe | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch),
  (RawDiskAccess | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch),
  (DDToolUsage | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch)
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Driver: Driver Load Windows Registry: Registry Key Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceImageLoadEvents DeviceRegistryEvents

False Positives

cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost, Macrium Reflect) that access raw disk handles during backup or restoration operations
Disk benchmarking utilities (CrystalDiskMark, HD Tune, ATTO Disk Benchmark) that open raw device handles for performance testing
Forensic workstations running EnCase, FTK, or Autopsy that access physical drives directly during evidence collection
Virtualization platforms (VMware, Hyper-V, VirtualBox) creating or reconfiguring virtual disk files with raw device access

Splunk

spl

// T1561.001 — Disk Content Wipe (Splunk / Sysmon + WinEventLog)
(
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR (sourcetype="WinEventLog:Security" EventCode=4688)
)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval ImageLower=lower(Image)
| eval CmdLower=lower(CommandLine)
// Detection Branch 1: cipher.exe /w freespace wipe
| eval Branch_CipherWipe=if(match(ImageLower, "cipher\.exe$") AND match(CmdLower, "[/\\-]w\s"), 1, 0)
// Detection Branch 2: Raw disk device path in command line
| eval Branch_RawDisk=if(match(CmdLower, "(\\\\\\.\\\\physicaldrive|\\\\\\.(globalroot|harddiskvolume|disk[0-9]))"), 1, 0)
// Detection Branch 3: dd.exe writing to physical disk
| eval Branch_DDWipe=if(match(ImageLower, "dd\.exe$") AND match(CmdLower, "(of=\\\\\\.\\\\physicaldrive|of=/dev/sd|if=/dev/(zero|urandom))"), 1, 0)
// Detection Branch 4: Known wiper process names (WhisperGate, HermeticWiper, StoneDrill patterns)
| eval Branch_KnownWiperNames=if(match(ImageLower, "(stage[12]\.exe|hermeticwiper|whispergate|acidpour|deadwood|stonedrill)"), 1, 0)
| eval TotalBranches=Branch_CipherWipe + Branch_RawDisk + Branch_DDWipe + Branch_KnownWiperNames
| where TotalBranches > 0
| eval DetectionBranches=mvappend(
    if(Branch_CipherWipe=1, "cipher_freespace_wipe", null()),
    if(Branch_RawDisk=1, "raw_disk_device_access", null()),
    if(Branch_DDWipe=1, "dd_disk_overwrite", null()),
    if(Branch_KnownWiperNames=1, "known_wiper_process_name", null())
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranches, TotalBranches
| sort - _time

``` union with driver load events (Sysmon EventCode=7) ```
ALTERNATIVE_DRIVER_QUERY:
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
(ImageLoaded="*eltrawdrv.sys" OR ImageLoaded="*rawdisk.sys" OR ImageLoaded="*epmntdrv.sys" OR ImageLoaded="*DRV_X64.sys" OR ImageLoaded="*DRV_X86.sys" OR ImageLoaded="*DRV_XP_X64.sys")
| eval DetectionBranch="wiper_kernel_driver_loaded"
| table _time, host, User, Image, ImageLoaded, Signed, Signature, DetectionBranch
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation Driver: Driver Load Sysmon Event ID 1 Sysmon Event ID 7 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost) accessing raw disk handles during backup or restoration
Disk benchmarking utilities (CrystalDiskMark, HD Tune) opening raw device handles for performance testing
Forensic workstations running EnCase, FTK, or Autopsy during evidence collection
Virtualization platforms (VMware, Hyper-V) creating or reconfiguring virtual disk files

Elastic Security (EQL)

eql

any where
  (event.category == "process" and event.type == "start" and
   ((process.name == "cipher.exe" and process.args : ("/w","-w")) or
    (process.name : ("wevtutil.exe") and process.args : ("cl","clear-log")) or
    (process.name : ("vssadmin.exe","wmic.exe") and
     process.args : ("delete","shadowcopy","shadows") and
     not process.parent.name : ("msiexec.exe","TrustedInstaller.exe")))) or
  (event.category == "library" and
   dll.name : ("EldosRawDisk*","rawdisk*","RawDisk*") and
   not process.name : ("MsMpEng.exe","SenseIR.exe"))

critical severity high confidence

Data Sources

Windows Process Events Windows Library Load Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.library-*

False Positives

cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost, Macrium Reflect) that access raw disk handles during backup or restoration operations
Disk benchmarking utilities (CrystalDiskMark, HD Tune, ATTO Disk Benchmark) that open raw device handles for performance testing
Forensic workstations running EnCase, FTK, or Autopsy that access physical drives directly during evidence collection
Virtualization platforms (VMware, Hyper-V, VirtualBox) creating or reconfiguring virtual disk files with raw device access

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  CASE WHEN "Image" ILIKE '%cipher.exe%' AND "CommandLine" ILIKE '% /w%' THEN 10
       WHEN "Image" ILIKE '%vssadmin.exe%' AND "CommandLine" ILIKE '%delete%' THEN 10
       WHEN "Image" ILIKE '%wevtutil.exe%' AND "CommandLine" ILIKE '%cl%' THEN 8
       ELSE 5 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
  AND (
    ("Image" ILIKE '%cipher.exe%' AND ("CommandLine" ILIKE '% /w %' OR "CommandLine" ILIKE '% -w %'))
    OR ("Image" ILIKE '%vssadmin.exe%' AND "CommandLine" ILIKE '%delete shadows%')
    OR ("Image" ILIKE '%wmic.exe%' AND "CommandLine" ILIKE '%shadowcopy delete%')
    OR ("Image" ILIKE '%wevtutil.exe%' AND ("CommandLine" ILIKE '% cl %' OR "CommandLine" ILIKE '% clear-log%'))
  )
ORDER BY RiskScore DESC, EventTime DESC

critical severity high confidence

Data Sources

Windows Security Event Log Windows Sysmon

Required Tables

events

False Positives

cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost, Macrium Reflect) that access raw disk handles during backup or restoration operations
Disk benchmarking utilities (CrystalDiskMark, HD Tune, ATTO Disk Benchmark) that open raw device handles for performance testing
Forensic workstations running EnCase, FTK, or Autopsy that access physical drives directly during evidence collection
Virtualization platforms (VMware, Hyper-V, VirtualBox) creating or reconfiguring virtual disk files with raw device access

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json auto
| where EventID in ("1","4688")
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval ImageLower = toLower(coalesce(Image, NewProcessName, ""))
| eval detection_type = case(
    ImageLower matches ".*cipher\.exe$" AND CmdLower matches ".* /w | -w ", "Cipher_FreeSpace_Wipe",
    ImageLower matches ".*vssadmin\.exe$" AND CmdLower matches ".*delete shadows.*", "VSS_Delete",
    ImageLower matches ".*wmic\.exe$" AND CmdLower matches ".*shadowcopy.*delete.*", "WMI_VSS_Delete",
    ImageLower matches ".*wevtutil\.exe$" AND CmdLower matches ".*(cl | clear-log).*", "EventLog_Clear",
    true(), null())
| where !isNull(detection_type)
| table _time, Computer, User, Image, CommandLine, ParentImage, detection_type
| sort by _time desc

critical severity high confidence

Data Sources

Windows Security Events via Sumo Logic Windows Sysmon via Sumo Logic

Required Tables

windows/sysmon windows/security

False Positives

cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost, Macrium Reflect) that access raw disk handles during backup or restoration operations
Disk benchmarking utilities (CrystalDiskMark, HD Tune, ATTO Disk Benchmark) that open raw device handles for performance testing
Forensic workstations running EnCase, FTK, or Autopsy that access physical drives directly during evidence collection
Virtualization platforms (VMware, Hyper-V, VirtualBox) creating or reconfiguring virtual disk files with raw device access

Google Chronicle / SecOps

yaral

rule disk_content_wipe {
  meta:
    author = "Detection Engineering"
    description = "Detects disk content wipe operations (T1561.001)"
    severity = "CRITICAL"
    tactic = "TA0040"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (re.regex($e.target.process.file.full_path, `(?i)cipher\.exe`) nocase and
       re.regex($e.target.process.command_line, `(?i)\s/w\s|\s-w\s`) nocase) or
      (re.regex($e.target.process.file.full_path, `(?i)vssadmin\.exe`) nocase and
       re.regex($e.target.process.command_line, `(?i)delete shadows`) nocase) or
      (re.regex($e.target.process.file.full_path, `(?i)wevtutil\.exe`) nocase and
       re.regex($e.target.process.command_line, `(?i)(\scl\s|clear-log)`) nocase)
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Windows Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost, Macrium Reflect) that access raw disk handles during backup or restoration operations
Disk benchmarking utilities (CrystalDiskMark, HD Tune, ATTO Disk Benchmark) that open raw device handles for performance testing
Forensic workstations running EnCase, FTK, or Autopsy that access physical drives directly during evidence collection
Virtualization platforms (VMware, Hyper-V, VirtualBox) creating or reconfiguring virtual disk files with raw device access

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| (ImageFileName = /cipher\.exe$/i AND CommandLine = /\s\/w\s|\s-w\s/i)
  OR (ImageFileName = /vssadmin\.exe$/i AND CommandLine = /delete shadows/i)
  OR (ImageFileName = /wmic\.exe$/i AND CommandLine = /shadowcopy.*delete/i)
  OR (ImageFileName = /wevtutil\.exe$/i AND CommandLine = /(\scl\s|clear-log)/i)
| eval detection_type = case {
    ImageFileName = /cipher\.exe$/i : "FreeSpace_Wipe";
    ImageFileName = /vssadmin\.exe$/i : "VSS_Shadow_Delete";
    ImageFileName = /wmic\.exe$/i : "WMI_Shadow_Delete";
    ImageFileName = /wevtutil\.exe$/i : "EventLog_Clear";
    * : "DiskWipe"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type
| sort by timestamp desc

critical severity high confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost, Macrium Reflect) that access raw disk handles during backup or restoration operations
Disk benchmarking utilities (CrystalDiskMark, HD Tune, ATTO Disk Benchmark) that open raw device handles for performance testing
Forensic workstations running EnCase, FTK, or Autopsy that access physical drives directly during evidence collection
Virtualization platforms (VMware, Hyper-V, VirtualBox) creating or reconfiguring virtual disk files with raw device access

Disk Content Wipe

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections