T1561.001 Splunk · SPL

Detect Disk Content Wipe in Splunk

Adversaries may erase the contents of storage devices to interrupt availability of systems and network resources. Unlike file-level destruction, disk content wiping targets arbitrary raw disk sectors, making recovery through normal storage interfaces impossible. Attackers gain direct disk access via OS raw device handles (e.g., \\.\PhysicalDrive0 on Windows, /dev/sda on Linux), third-party kernel drivers like RawDisk (eltrawdrv.sys), or built-in utilities such as cipher.exe, dd, and shred. Real-world destructive campaigns include HermeticWiper (Ukraine 2022), WhisperGate (Ukraine 2022), AcidRain/AcidPour (satellite modems), and Lazarus Group's WhiskeyAlfa malware overwriting the first 64MB of every drive. These attacks are often staged alongside credential dumping and lateral movement to maximize organizational impact.

MITRE ATT&CK

Tactic
Impact
Technique
T1561 Disk Wipe
Sub-technique
T1561.001 Disk Content Wipe
Canonical reference
https://attack.mitre.org/techniques/T1561/001/

SPL Detection Query

Splunk (SPL)
spl 
// T1561.001 — Disk Content Wipe (Splunk / Sysmon + WinEventLog)
(
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR (sourcetype="WinEventLog:Security" EventCode=4688)
)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval ImageLower=lower(Image)
| eval CmdLower=lower(CommandLine)
// Detection Branch 1: cipher.exe /w freespace wipe
| eval Branch_CipherWipe=if(match(ImageLower, "cipher\.exe$") AND match(CmdLower, "[/\\-]w\s"), 1, 0)
// Detection Branch 2: Raw disk device path in command line
| eval Branch_RawDisk=if(match(CmdLower, "(\\\\\\.\\\\physicaldrive|\\\\\\.(globalroot|harddiskvolume|disk[0-9]))"), 1, 0)
// Detection Branch 3: dd.exe writing to physical disk
| eval Branch_DDWipe=if(match(ImageLower, "dd\.exe$") AND match(CmdLower, "(of=\\\\\\.\\\\physicaldrive|of=/dev/sd|if=/dev/(zero|urandom))"), 1, 0)
// Detection Branch 4: Known wiper process names (WhisperGate, HermeticWiper, StoneDrill patterns)
| eval Branch_KnownWiperNames=if(match(ImageLower, "(stage[12]\.exe|hermeticwiper|whispergate|acidpour|deadwood|stonedrill)"), 1, 0)
| eval TotalBranches=Branch_CipherWipe + Branch_RawDisk + Branch_DDWipe + Branch_KnownWiperNames
| where TotalBranches > 0
| eval DetectionBranches=mvappend(
    if(Branch_CipherWipe=1, "cipher_freespace_wipe", null()),
    if(Branch_RawDisk=1, "raw_disk_device_access", null()),
    if(Branch_DDWipe=1, "dd_disk_overwrite", null()),
    if(Branch_KnownWiperNames=1, "known_wiper_process_name", null())
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranches, TotalBranches
| sort - _time

``` union with driver load events (Sysmon EventCode=7) ```
ALTERNATIVE_DRIVER_QUERY:
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
(ImageLoaded="*eltrawdrv.sys" OR ImageLoaded="*rawdisk.sys" OR ImageLoaded="*epmntdrv.sys" OR ImageLoaded="*DRV_X64.sys" OR ImageLoaded="*DRV_X86.sys" OR ImageLoaded="*DRV_XP_X64.sys")
| eval DetectionBranch="wiper_kernel_driver_loaded"
| table _time, host, User, Image, ImageLoaded, Signed, Signature, DetectionBranch
| sort - _time
critical severity high confidence

Detects disk content wiping activity using Sysmon EventCode=1 (Process Create) and Windows Security EventCode=4688. Four detection branches cover: (1) cipher.exe with the /w flag for freespace overwriting used by MegaCortex; (2) processes referencing raw disk device paths like \\.\PhysicalDrive in their command lines; (3) dd.exe writing directly to physical disk devices; (4) known wiper malware process name patterns. An alternative Sysmon EventCode=7 (Image Load) query detects loading of known wiper kernel drivers including RawDisk (eltrawdrv.sys) and HermeticWiper's embedded drivers. The TotalBranches score helps prioritize alerts with multiple simultaneous indicators.

Data Sources

Process: Process CreationDriver: Driver LoadSysmon Event ID 1Sysmon Event ID 7Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
  • Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost) accessing raw disk handles during backup or restoration
  • Disk benchmarking utilities (CrystalDiskMark, HD Tune) opening raw device handles for performance testing
  • Forensic workstations running EnCase, FTK, or Autopsy during evidence collection
  • Virtualization platforms (VMware, Hyper-V) creating or reconfiguring virtual disk files
Download portable Sigma rule (.yml)

Other platforms for T1561.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Cipher.exe Freespace Wipe (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=cipher.exe, CommandLine containing '/w:' and the target path. Security Event ID 4688 (if command line auditing enabled). File system activity: cipher.exe creates temporary files in the target directory during the wipe pass (EFSTMPWP files), then deletes them.

  2. Test 2Direct PhysicalDrive Access via PowerShell (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 10 (Process Access) may fire if EDR monitors raw disk handle creation. PowerShell ScriptBlock Log Event ID 4104 with the full .NET FileStream code.

  3. Test 3dd Disk Overwrite Simulation (Linux)

    Expected signal: Syslog/auditd: process execution record for dd with the if=/dev/urandom and of= arguments. If auditd is configured with -w /dev/urandom -p r rules, an audit record (type=SYSCALL) fires for the open() call on /dev/urandom. Process accounting records show dd execution with runtime and I/O statistics.

  4. Test 4RawDisk Driver Service Installation Simulation (Windows)

    Expected signal: Sysmon Event ID 12 (Registry Key Create): TargetObject containing HKLM\SYSTEM\CurrentControlSet\Services\eltrawdrv_test. Sysmon Event ID 13 (Registry Value Set): TargetObject with ImagePath and Type values. Security Event ID 4657 (if object access auditing enabled for registry). Windows System Event ID 7045 would fire when the actual service is started (not triggered by this test).

Last updated: 2026-03-12 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1561.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1561Disk Wipe

Related Sub-techniques

T1561.002Disk Structure Wipe

Related Techniques

T1561Disk WipeT1561.002Disk Structure WipeT1485Data DestructionT1485.001Lifecycle-Triggered DeletionT1543.003Windows ServiceT1003OS Credential DumpingT1021.002SMB/Windows Admin SharesT1078Valid AccountsT1490Inhibit System RecoveryT1489Service Stop

Same Tactic: Impact

Popular Detections