Detect Disk Content Wipe in Microsoft Sentinel
Adversaries may erase the contents of storage devices to interrupt availability of systems and network resources. Unlike file-level destruction, disk content wiping targets arbitrary raw disk sectors, making recovery through normal storage interfaces impossible. Attackers gain direct disk access via OS raw device handles (e.g., \\.\PhysicalDrive0 on Windows, /dev/sda on Linux), third-party kernel drivers like RawDisk (eltrawdrv.sys), or built-in utilities such as cipher.exe, dd, and shred. Real-world destructive campaigns include HermeticWiper (Ukraine 2022), WhisperGate (Ukraine 2022), AcidRain/AcidPour (satellite modems), and Lazarus Group's WhiskeyAlfa malware overwriting the first 64MB of every drive. These attacks are often staged alongside credential dumping and lateral movement to maximize organizational impact.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1561 Disk Wipe
- Sub-technique
- T1561.001 Disk Content Wipe
- Canonical reference
- https://attack.mitre.org/techniques/T1561/001/
KQL Detection Query
// T1561.001 — Disk Content Wipe
// Branch 1: cipher.exe used to wipe free space (MegaCortex, Nearest Neighbor/Volexity)
let CipherWipe = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cipher.exe"
| where ProcessCommandLine has_any ("/w", "-w")
| extend DetectionBranch = "cipher.exe freespace wipe";
// Branch 2: Windows built-in tools / LOLBins writing to raw disk device paths
let RawDiskAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"\\\\.\\PhysicalDrive", "\\\\.\\GLOBALROOT",
"\\\\.\\HarddiskVolume", "\\\\.\\Disk",
"IOCTL_DISK_FORMAT_TRACKS", "FSCTL_DISMOUNT_VOLUME"
)
| extend DetectionBranch = "raw disk device access in command line";
// Branch 3: Known destructive wiper driver names loaded (RawDisk, HermeticWiper drivers)
let WiperDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName has_any (
"eltrawdrv.sys", "rawdisk.sys", "epmntdrv.sys",
"DRV_X64.sys", "DRV_X86.sys", "DRV_XP_X64.sys", "DRV_XP_X86.sys"
)
| extend DetectionBranch = "wiper kernel driver loaded"
| project Timestamp, DeviceName, AccountName,
FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch;
// Branch 4: New service/driver installed with suspicious wiper-related names
let WiperDriverInstall = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "HKLM\\SYSTEM\\CurrentControlSet\\Services"
| where RegistryValueData has_any (
"rawdisk", "eltraw", "epmntdrv", "DRV_X64", "DRV_X86"
)
| extend DetectionBranch = "wiper driver service registry key created"
| project Timestamp, DeviceName, AccountName,
RegistryKey, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch;
// Branch 5: dd.exe (Windows port) or wmic diskdrive writing large zero/random blocks
let DDToolUsage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "dd.exe"
| where ProcessCommandLine has_any (
"if=/dev/zero", "if=/dev/urandom", "if=\\\\.\\zero",
"of=\\\\.\\PhysicalDrive", "of=/dev/sd", "bs="
)
| extend DetectionBranch = "dd tool disk overwrite";
// Union all Windows branches
union kind=outer
(CipherWipe | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch),
(RawDiskAccess | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch),
(DDToolUsage | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch)
| sort by Timestamp descDetects disk content wiping activity across five detection branches targeting T1561.001. Branch 1 identifies cipher.exe invoked with the /w (wipe) flag used by MegaCortex and other ransomware families. Branch 2 identifies processes with raw disk device paths (e.g., \\.\PhysicalDrive0) in their command lines, indicating direct sector-level access. Branch 3 detects loading of known wiper kernel drivers including RawDisk (eltrawdrv.sys) and HermeticWiper's embedded drivers. Branch 4 monitors registry for wiper driver service key creation. Branch 5 catches the Windows port of dd.exe writing to physical disk devices. The union approach ensures broad coverage across different wiper toolkits.
Data Sources
Required Tables
False Positives & Tuning
- cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
- Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost, Macrium Reflect) that access raw disk handles during backup or restoration operations
- Disk benchmarking utilities (CrystalDiskMark, HD Tune, ATTO Disk Benchmark) that open raw device handles for performance testing
- Forensic workstations running EnCase, FTK, or Autopsy that access physical drives directly during evidence collection
- Virtualization platforms (VMware, Hyper-V, VirtualBox) creating or reconfiguring virtual disk files with raw device access
Other platforms for T1561.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cipher.exe Freespace Wipe (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=cipher.exe, CommandLine containing '/w:' and the target path. Security Event ID 4688 (if command line auditing enabled). File system activity: cipher.exe creates temporary files in the target directory during the wipe pass (EFSTMPWP files), then deletes them.
- Test 2Direct PhysicalDrive Access via PowerShell (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 10 (Process Access) may fire if EDR monitors raw disk handle creation. PowerShell ScriptBlock Log Event ID 4104 with the full .NET FileStream code.
- Test 3dd Disk Overwrite Simulation (Linux)
Expected signal: Syslog/auditd: process execution record for dd with the if=/dev/urandom and of= arguments. If auditd is configured with -w /dev/urandom -p r rules, an audit record (type=SYSCALL) fires for the open() call on /dev/urandom. Process accounting records show dd execution with runtime and I/O statistics.
- Test 4RawDisk Driver Service Installation Simulation (Windows)
Expected signal: Sysmon Event ID 12 (Registry Key Create): TargetObject containing HKLM\SYSTEM\CurrentControlSet\Services\eltrawdrv_test. Sysmon Event ID 13 (Registry Value Set): TargetObject with ImagePath and Type values. Security Event ID 4657 (if object access auditing enabled for registry). Windows System Event ID 7045 would fire when the actual service is started (not triggered by this test).
References (10)
- https://attack.mitre.org/techniques/T1561/001/
- https://www.justice.gov/opa/press-release/file/1092091/download
- https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
- https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
- https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
- https://www.sentinelone.com/labs/agrius-from-destruction-to-disruption/
- https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/
- https://blog.malwarebytes.com/threat-intelligence/2022/01/looking-into-the-whispergate-wiper/
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1561.001/T1561.001.md
Unlock Pro Content
Get the full detection package for T1561.001 including response playbook, investigation guide, and atomic red team tests.