Detect Disk Content Wipe in CrowdStrike LogScale
Adversaries may erase the contents of storage devices to interrupt availability of systems and network resources. Unlike file-level destruction, disk content wiping targets arbitrary raw disk sectors, making recovery through normal storage interfaces impossible. Attackers gain direct disk access via OS raw device handles (e.g., \\.\PhysicalDrive0 on Windows, /dev/sda on Linux), third-party kernel drivers like RawDisk (eltrawdrv.sys), or built-in utilities such as cipher.exe, dd, and shred. Real-world destructive campaigns include HermeticWiper (Ukraine 2022), WhisperGate (Ukraine 2022), AcidRain/AcidPour (satellite modems), and Lazarus Group's WhiskeyAlfa malware overwriting the first 64MB of every drive. These attacks are often staged alongside credential dumping and lateral movement to maximize organizational impact.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1561 Disk Wipe
- Sub-technique
- T1561.001 Disk Content Wipe
- Canonical reference
- https://attack.mitre.org/techniques/T1561/001/
LogScale Detection Query
#event_simpleName = "ProcessRollup2"
| (ImageFileName = /cipher\.exe$/i AND CommandLine = /\s\/w\s|\s-w\s/i)
OR (ImageFileName = /vssadmin\.exe$/i AND CommandLine = /delete shadows/i)
OR (ImageFileName = /wmic\.exe$/i AND CommandLine = /shadowcopy.*delete/i)
OR (ImageFileName = /wevtutil\.exe$/i AND CommandLine = /(\scl\s|clear-log)/i)
| eval detection_type = case {
ImageFileName = /cipher\.exe$/i : "FreeSpace_Wipe";
ImageFileName = /vssadmin\.exe$/i : "VSS_Shadow_Delete";
ImageFileName = /wmic\.exe$/i : "WMI_Shadow_Delete";
ImageFileName = /wevtutil\.exe$/i : "EventLog_Clear";
* : "DiskWipe"
}
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type
| sort by timestamp descDetects disk content wiping operations via CrowdStrike Falcon process telemetry.
Data Sources
Required Tables
False Positives & Tuning
- cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
- Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost, Macrium Reflect) that access raw disk handles during backup or restoration operations
- Disk benchmarking utilities (CrystalDiskMark, HD Tune, ATTO Disk Benchmark) that open raw device handles for performance testing
- Forensic workstations running EnCase, FTK, or Autopsy that access physical drives directly during evidence collection
- Virtualization platforms (VMware, Hyper-V, VirtualBox) creating or reconfiguring virtual disk files with raw device access
Other platforms for T1561.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cipher.exe Freespace Wipe (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=cipher.exe, CommandLine containing '/w:' and the target path. Security Event ID 4688 (if command line auditing enabled). File system activity: cipher.exe creates temporary files in the target directory during the wipe pass (EFSTMPWP files), then deletes them.
- Test 2Direct PhysicalDrive Access via PowerShell (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 10 (Process Access) may fire if EDR monitors raw disk handle creation. PowerShell ScriptBlock Log Event ID 4104 with the full .NET FileStream code.
- Test 3dd Disk Overwrite Simulation (Linux)
Expected signal: Syslog/auditd: process execution record for dd with the if=/dev/urandom and of= arguments. If auditd is configured with -w /dev/urandom -p r rules, an audit record (type=SYSCALL) fires for the open() call on /dev/urandom. Process accounting records show dd execution with runtime and I/O statistics.
- Test 4RawDisk Driver Service Installation Simulation (Windows)
Expected signal: Sysmon Event ID 12 (Registry Key Create): TargetObject containing HKLM\SYSTEM\CurrentControlSet\Services\eltrawdrv_test. Sysmon Event ID 13 (Registry Value Set): TargetObject with ImagePath and Type values. Security Event ID 4657 (if object access auditing enabled for registry). Windows System Event ID 7045 would fire when the actual service is started (not triggered by this test).
References (10)
- https://attack.mitre.org/techniques/T1561/001/
- https://www.justice.gov/opa/press-release/file/1092091/download
- https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
- https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
- https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
- https://www.sentinelone.com/labs/agrius-from-destruction-to-disruption/
- https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/
- https://blog.malwarebytes.com/threat-intelligence/2022/01/looking-into-the-whispergate-wiper/
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1561.001/T1561.001.md
Unlock Pro Content
Get the full detection package for T1561.001 including response playbook, investigation guide, and atomic red team tests.