T1561.002

Disk Structure Wipe

Adversaries may corrupt or wipe disk data structures such as the Master Boot Record (MBR), GUID Partition Table (GPT), or partition entries to render systems permanently unbootable. Wiper malware (Shamoon, HermeticWiper, WhisperGate, CaddyWiper, KillDisk) achieves this by opening a handle to raw physical disk devices (e.g., \\.\PhysicalDrive0) and overwriting the first 512 bytes (MBR boot sector) or subsequent partition structures. Some malware uses kernel-mode drivers such as ElRawDisk.sys (Shamoon) or the HermeticWiper EaseUS driver to bypass user-mode restrictions and gain direct disk sector access. On Linux systems, adversaries use utilities like dd with /dev/zero or /dev/urandom targeting /dev/sda or /dev/nvme0n1. This technique is frequently combined with worm-like propagation via SMB/Windows Admin Shares, Valid Accounts, and OS Credential Dumping to maximize organizational impact.

Microsoft Sentinel / Defender

kusto

// Detection 1: Processes with raw physical disk handle access patterns
let PhysicalDriveAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "PhysicalDrive"
   or ProcessCommandLine has "\\\\.\\PHYSICALDRIVE"
   or ProcessCommandLine has "physicaldrive"
| extend AccessType = "RawDiskHandle"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          ProcessId, InitiatingProcessId, AccessType;
// Detection 2: dd.exe or disk utility wipe commands
let WiperToolCommands = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "dd.exe" and (ProcessCommandLine has "PhysicalDrive" or ProcessCommandLine has "if=/dev/zero" or ProcessCommandLine has "if=/dev/urandom"))
    or (FileName =~ "diskpart.exe" and InitiatingProcessFileName !in~ ("mmc.exe", "diskmgmt.msc"))
    or (FileName in~ ("shred", "wipe") and ProcessCommandLine has_any ("/dev/sd", "/dev/hd", "/dev/nvme", "/dev/vd"))
  )
| extend AccessType = "WiperTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          ProcessId, InitiatingProcessId, AccessType;
// Detection 3: Known wiper driver files dropped to non-standard paths
let WiperDriverDrop = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".sys"
| where (
    FileName has_any ("elrawdsk", "ElRawDisk", "epmntdrv", "EPMNTDRV", "HermeticWiper")
    or (FolderPath has_any ("Temp", "AppData", "ProgramData", "Downloads") and FileName endswith ".sys")
  )
| extend AccessType = "WiperDriverDrop"
| project Timestamp, DeviceName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName,
          AccessType;
// Detection 4: Suspicious service installation for raw disk drivers (Event ID 7045)
let ServiceInstall = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 7045
| where ServiceType =~ "kernel mode driver"
| where ServiceFileName has_any ("Temp", "AppData", "ProgramData", "Users", "Downloads")
| extend AccessType = "SuspiciousDriverService"
| project TimeGenerated as Timestamp, Computer as DeviceName, ServiceName, ServiceFileName, AccessType;
union isfuzzy=true PhysicalDriveAccess, WiperToolCommands
| extend IsKnownWiper = FileName has_any ("Shamoon", "wiper", "HermeticWiper", "KillDisk", "CaddyWiper")
| extend IsDDTool = FileName =~ "dd.exe"
| extend IsDiskpart = FileName =~ "diskpart.exe"
| extend HasPhysicalDriveRef = ProcessCommandLine has "PhysicalDrive"
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation File: File Creation Driver: Driver Load Windows: Security Event Log Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents SecurityEvent

False Positives

Legitimate disk imaging and backup software (Acronis True Image, Macrium Reflect, Clonezilla agent) that opens PhysicalDrive handles for sector-level backup and restore operations
Hardware diagnostic and benchmarking utilities (CrystalDiskInfo, HD Tune, manufacturer tools like Seagate SeaTools) that read raw disk sectors to retrieve SMART data or perform surface scans
Forensic acquisition tools (FTK Imager, dc3dd, Paladin) used by security teams that write forensic images by accessing physical disk handles directly
System administrators using dd.exe (GnuWin32/UnxUtils port) for disk cloning or image creation in lab and deployment environments
Virtualization platforms (VMware vSphere, VirtualBox, Hyper-V) that create and manage virtual disk files using driver-level disk access

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:System" OR sourcetype="WinEventLog:Security")
| eval DetectionVector=""
| eval IsMBRWipe=0
| eval IsDriverDrop=0
| eval IsServiceInstall=0
| eval IsWiperTool=0

``` Sysmon EventCode=1: Process Creation - raw disk access or dd/diskpart wipe patterns ```
| eval IsWiperTool=if(EventCode=1 AND (
    (match(lower(Image), "\\dd\.exe$") AND (match(CommandLine, "PhysicalDrive") OR match(CommandLine, "if=/dev/zero") OR match(CommandLine, "if=/dev/urandom")))
    OR (match(lower(Image), "\\diskpart\.exe$") AND NOT match(lower(ParentImage), "mmc\.exe"))
  ), 1, IsWiperTool)
| eval IsMBRWipe=if(EventCode=1 AND match(CommandLine, "(?i)PhysicalDrive"), 1, IsMBRWipe)

``` Sysmon EventCode=11: File Creation - wiper driver drops to user-writable paths ```
| eval IsDriverDrop=if(EventCode=11 AND match(lower(TargetFilename), "\.sys$") AND (
    match(lower(TargetFilename), "(elrawdsk|elrawdisk|epmntdrv|hermeticwiper|killdisk)")
    OR match(lower(TargetFilename), "(\\temp\\|\\appdata\\|\\programdata\\|\\users\\)") AND match(lower(TargetFilename), "\.sys$")
  ), 1, IsDriverDrop)

``` Sysmon EventCode=6: Driver Load - known wiper drivers ```
| eval IsDriverDrop=if(EventCode=6 AND match(lower(ImageLoaded), "(elrawdsk|epmntdrv|hermeticwiper)"), 1, IsDriverDrop)

``` Windows System Event 7045: New Service Install - kernel driver from suspicious path ```
| eval IsServiceInstall=if(EventCode=7045 AND match(lower(ServiceType), "kernel mode driver") AND match(lower(ServiceFileName), "(\\temp\\|\\appdata\\|\\programdata\\|\\users\\|\\downloads\\)"), 1, IsServiceInstall)

| eval SuspicionScore=IsMBRWipe + IsDriverDrop + IsServiceInstall + IsWiperTool
| where SuspicionScore > 0
| eval DetectionVector=case(
    IsMBRWipe=1, "PhysicalDriveHandle",
    IsDriverDrop=1, "WiperDriverDrop",
    IsServiceInstall=1, "KernelDriverService",
    IsWiperTool=1, "WiperToolCommand",
    true(), "Unknown"
  )
| table _time, host, User, Image, CommandLine, TargetFilename, ServiceFileName, ServiceName, ParentImage, DetectionVector, SuspicionScore
| sort - SuspicionScore, - _time

critical severity high confidence

Data Sources

Process: Process Creation File: File Creation Driver: Driver Load Windows: System Event Log Sysmon Event IDs 1, 6, 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:System WinEventLog:Security

False Positives

Legitimate disk imaging and backup software (Acronis True Image, Macrium Reflect, Clonezilla agent) that opens PhysicalDrive handles for sector-level backup and restore operations
Hardware diagnostic tools (CrystalDiskInfo, manufacturer SMART utilities, HD Tune) that read raw disk sectors for health checks
Forensic acquisition tools (FTK Imager, dc3dd) used by incident response teams accessing raw physical disk handles
System administrators using dd.exe for disk cloning or forensic image acquisition in lab environments
Virtualization drivers (VMware vmci.sys, VirtualBox vboxdrv.sys) legitimately installed as kernel drivers during software setup

Elastic Security (EQL)

eql

any where
  /* Detection 1: Raw PhysicalDrive handle access in process command line */
  (
    event.category == "process" and event.type == "start" and
    process.command_line like~ "*PhysicalDrive*"
  ) or

  /* Detection 2: dd.exe targeting physical disk or wipe sources */
  (
    event.category == "process" and event.type == "start" and
    process.name like~ "dd.exe" and
    process.command_line like~ ("*PhysicalDrive*", "*if=/dev/zero*", "*if=/dev/urandom*")
  ) or

  /* Detection 3: diskpart.exe spawned outside legitimate management tools */
  (
    event.category == "process" and event.type == "start" and
    process.name like~ "diskpart.exe" and
    not process.parent.name in~ ("mmc.exe", "diskmgmt.msc", "taskschd.msc")
  ) or

  /* Detection 4: Known wiper driver file created in user-writable paths */
  (
    event.category == "file" and event.type in ("creation", "change") and
    file.name like~ "*.sys" and
    (
      file.name like~ ("*elrawdsk*", "*elrawdisk*", "*epmntdrv*", "*hermeticwiper*", "*killdisk*", "*caddywiper*") or
      file.path like~ ("*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*", "*\\Downloads\\*")
    )
  ) or

  /* Detection 5: Known wiper kernel driver load (Sysmon EventCode 6) */
  (
    event.category == "driver" and
    file.name like~ ("*elrawdsk*", "*epmntdrv*", "*hermeticwiper*", "*killdisk*")
  ) or

  /* Detection 6: Kernel mode driver service installed from user-writable path (Event 7045) */
  (
    event.code == "7045" and
    winlog.event_data.ServiceType like~ "*kernel mode driver*" and
    winlog.event_data.ServiceFileName like~ ("*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*", "*\\Users\\*", "*\\Downloads\\*")
  )

critical severity high confidence

Data Sources

Elastic Endpoint Security (logs-endpoint.events.*) Winlogbeat with Sysmon Winlogbeat Windows Event Log

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-endpoint.events.driver-* winlogbeat-*

False Positives

Legitimate disk diagnostic utilities such as CrystalDiskInfo, HD Tune, or Macrorit Disk Partition Expert that open raw PhysicalDrive handles for health monitoring and SMART data collection
IT administrators running diskpart.exe from scripts (cmd.exe, powershell.exe) during OS imaging, MDT/WDS deployments, or partition management workflows rather than through the expected mmc.exe parent
Digital forensics and incident response tools (FTK Imager, dd.exe for forensic imaging, WinHex, Autopsy) that legitimately access raw disk sectors and may drop companion driver files during operation

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    devicehostname AS Hostname,
    username AS AccountName,
    QIDNAME(qid) AS EventName,
    LOGSOURCETYPENAME(devicetype) AS LogSourceType,
    CASE
        WHEN UPPER(UTF8(payload)) LIKE '%PHYSICALDRIVE%'
             AND (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process%')
             THEN 'PhysicalDriveHandle'
        WHEN LOWER(UTF8(payload)) LIKE '%dd.exe%'
             AND (UPPER(UTF8(payload)) LIKE '%PHYSICALDRIVE%' OR UTF8(payload) LIKE '%if=/dev/zero%' OR UTF8(payload) LIKE '%if=/dev/urandom%')
             THEN 'WiperToolCommand'
        WHEN LOWER(UTF8(payload)) LIKE '%diskpart.exe%'
             AND NOT LOWER(UTF8(payload)) LIKE '%mmc.exe%'
             AND (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process%')
             THEN 'WiperToolCommand'
        WHEN QIDNAME(qid) LIKE '%Driver Load%'
             AND (LOWER(UTF8(payload)) LIKE '%elrawdsk%' OR LOWER(UTF8(payload)) LIKE '%epmntdrv%' OR LOWER(UTF8(payload)) LIKE '%hermeticwiper%')
             THEN 'WiperDriverLoad'
        WHEN LOWER(UTF8(payload)) LIKE '%kernel mode driver%'
             AND (LOWER(UTF8(payload)) LIKE '%\temp\%' OR LOWER(UTF8(payload)) LIKE '%\appdata\%' OR LOWER(UTF8(payload)) LIKE '%\programdata\%' OR LOWER(UTF8(payload)) LIKE '%\users\%')
             THEN 'KernelDriverService'
        WHEN QIDNAME(qid) LIKE '%File Create%'
             AND LOWER(UTF8(payload)) LIKE '%.sys%'
             AND (LOWER(UTF8(payload)) LIKE '%elrawdsk%' OR LOWER(UTF8(payload)) LIKE '%epmntdrv%' OR LOWER(UTF8(payload)) LIKE '%hermeticwiper%' OR LOWER(UTF8(payload)) LIKE '%killdisk%')
             THEN 'WiperDriverDrop'
        ELSE 'DiskWipeIndicator'
    END AS DetectionVector,
    UTF8(payload) AS RawPayload
FROM events
WHERE
    starttime > NOW() - 86400000
    AND (
        LOGSOURCETYPENAME(devicetype) LIKE '%Windows%'
        OR LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
        OR LOGSOURCETYPENAME(devicetype) LIKE '%Microsoft%'
    )
    AND (
        /* Vector 1: Raw PhysicalDrive access in process command line (Sysmon 1 / Security 4688) */
        (
            (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process has been created%')
            AND UPPER(UTF8(payload)) LIKE '%PHYSICALDRIVE%'
        )
        /* Vector 2: dd.exe targeting physical disk or wipe source */
        OR (
            (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process has been created%')
            AND LOWER(UTF8(payload)) LIKE '%dd.exe%'
            AND (
                UPPER(UTF8(payload)) LIKE '%PHYSICALDRIVE%'
                OR UTF8(payload) LIKE '%if=/dev/zero%'
                OR UTF8(payload) LIKE '%if=/dev/urandom%'
            )
        )
        /* Vector 3: diskpart.exe outside legitimate management tools */
        OR (
            (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process has been created%')
            AND LOWER(UTF8(payload)) LIKE '%diskpart.exe%'
            AND NOT LOWER(UTF8(payload)) LIKE '%mmc.exe%'
        )
        /* Vector 4: Known wiper driver name in file creation event (Sysmon 11) */
        OR (
            QIDNAME(qid) LIKE '%File Create%'
            AND LOWER(UTF8(payload)) LIKE '%.sys%'
            AND (
                LOWER(UTF8(payload)) LIKE '%elrawdsk%'
                OR LOWER(UTF8(payload)) LIKE '%epmntdrv%'
                OR LOWER(UTF8(payload)) LIKE '%hermeticwiper%'
                OR LOWER(UTF8(payload)) LIKE '%killdisk%'
                OR (
                    (
                        LOWER(UTF8(payload)) LIKE '%\temp\%'
                        OR LOWER(UTF8(payload)) LIKE '%\appdata\%'
                        OR LOWER(UTF8(payload)) LIKE '%\programdata\%'
                    )
                    AND LOWER(UTF8(payload)) LIKE '%.sys%'
                )
            )
        )
        /* Vector 5: Known wiper kernel driver load (Sysmon 6) */
        OR (
            QIDNAME(qid) LIKE '%Driver Load%'
            AND (
                LOWER(UTF8(payload)) LIKE '%elrawdsk%'
                OR LOWER(UTF8(payload)) LIKE '%epmntdrv%'
                OR LOWER(UTF8(payload)) LIKE '%hermeticwiper%'
            )
        )
        /* Vector 6: Kernel mode driver service installed from non-system path (Event 7045) */
        OR (
            QIDNAME(qid) LIKE '%new service%'
            AND LOWER(UTF8(payload)) LIKE '%kernel mode driver%'
            AND (
                LOWER(UTF8(payload)) LIKE '%\temp\%'
                OR LOWER(UTF8(payload)) LIKE '%\appdata\%'
                OR LOWER(UTF8(payload)) LIKE '%\programdata\%'
                OR LOWER(UTF8(payload)) LIKE '%\users\%'
                OR LOWER(UTF8(payload)) LIKE '%\downloads\%'
            )
        )
    )
ORDER BY starttime DESC
LIMIT 500

critical severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Sysmon DSM QRadar Microsoft Windows System Log DSM

Required Tables

events

False Positives

Enterprise disk backup solutions such as Acronis True Image, Veeam Agent, or Symantec Ghost that use raw PhysicalDrive handles during scheduled backup jobs — validate against backup job schedules and authorized initiating processes
Windows Subsystem for Linux (WSL2) or Cygwin providing a dd binary used legitimately by developers or sysadmins for disk cloning or data migration tasks to network targets rather than wipe operations
Third-party full-disk encryption products (VeraCrypt, McAfee Drive Encryption, Sophos SafeGuard) that install kernel drivers from %ProgramData% or %Temp% staging paths during initial volume encryption setup before relocating to System32\drivers

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=windows/system OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*)
| where EventCode in ("1", "4688", "11", "6", "7045")

/* Extract key fields from structured log messages */
| parse regex "(?i)CommandLine[\s=:]+(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?i)(?:Image|ProcessName)[\s=:]+(?P<ProcessImage>[^\r\n]+)" nodrop
| parse regex "(?i)ParentImage[\s=:]+(?P<ParentImage>[^\r\n]+)" nodrop
| parse regex "(?i)TargetFilename[\s=:]+(?P<TargetFilename>[^\r\n]+)" nodrop
| parse regex "(?i)ImageLoaded[\s=:]+(?P<DriverLoaded>[^\r\n]+)" nodrop
| parse regex "(?i)ServiceFileName[\s=:]+(?P<ServiceFileName>[^\r\n]+)" nodrop
| parse regex "(?i)ServiceType[\s=:]+(?P<ServiceType>[^\r\n]+)" nodrop
| parse regex "(?i)ServiceName[\s=:]+(?P<ServiceName>[^\r\n]+)" nodrop
| parse regex "(?i)(?:Computer|Hostname)[\s=:]+(?P<Computer>[^\r\n]+)" nodrop
| parse regex "(?i)(?:User|Account)[\s=:]+(?P<AccountName>[^\r\n]+)" nodrop

/* Score each detection vector */
| eval IsMBRWipe = if(matches(CommandLine, "(?i)PhysicalDrive"), 1, 0)

| eval IsWiperTool = if(
    EventCode in ("1", "4688") and (
      (matches(ProcessImage, "(?i)\\dd\.exe$") and (
        matches(CommandLine, "(?i)PhysicalDrive")
        or matches(CommandLine, "if=/dev/zero")
        or matches(CommandLine, "if=/dev/urandom")
      ))
      or (
        matches(ProcessImage, "(?i)\\diskpart\.exe$")
        and not matches(ParentImage, "(?i)(mmc\.exe|diskmgmt\.msc)")
      )
    ), 1, 0)

| eval IsDriverDrop = if(
    EventCode = "11"
    and matches(TargetFilename, "(?i)\.sys$")
    and (
      matches(TargetFilename, "(?i)(elrawdsk|elrawdisk|epmntdrv|hermeticwiper|killdisk|caddywiper)")
      or (
        matches(TargetFilename, "(?i)\\(temp|appdata|programdata|downloads)\\")
        and matches(TargetFilename, "(?i)\.sys$")
      )
    ), 1, 0)

| eval IsDriverLoad = if(
    EventCode = "6"
    and matches(DriverLoaded, "(?i)(elrawdsk|elrawdisk|epmntdrv|hermeticwiper|killdisk)"),
    1, 0)

| eval IsServiceInstall = if(
    EventCode = "7045"
    and matches(ServiceType, "(?i)kernel mode driver")
    and matches(ServiceFileName, "(?i)\\(temp|appdata|programdata|users|downloads)\\"),
    1, 0)

| eval SuspicionScore = IsMBRWipe + IsWiperTool + IsDriverDrop + IsDriverLoad + IsServiceInstall
| where SuspicionScore > 0

| eval DetectionVector = if(IsDriverLoad = 1, "WiperDriverLoad",
    if(IsMBRWipe = 1, "PhysicalDriveHandle",
    if(IsServiceInstall = 1, "KernelDriverService",
    if(IsWiperTool = 1, "WiperToolCommand",
    if(IsDriverDrop = 1, "WiperDriverDrop", "Unknown")))))

| fields _messageTime, Computer, AccountName, EventCode, ProcessImage, CommandLine, ParentImage, TargetFilename, DriverLoaded, ServiceFileName, ServiceName, DetectionVector, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Windows Event Log Collector Sumo Logic Sysmon Collector Sumo Logic Installed Collector (Windows)

Required Tables

windows/sysmon windows/security windows/system

False Positives

Penetration testing tools or authorized red team exercises using dd.exe or custom raw disk drivers for disk imaging tasks — cross-reference against approved testing windows and red team change tickets
Software installers for storage management products (Intel RST, Samsung Magician, Seagate Toolkit, WD Dashboard) that stage kernel drivers in %ProgramData% or %Temp% before relocating to System32\drivers during setup
IT provisioning workflows using WinPE, MDT, or SCCM task sequences that invoke diskpart.exe as a child of cmd.exe or powershell.exe rather than mmc.exe during automated OS deployment pipelines

Google Chronicle / SecOps

yaral

rule t1561_002_disk_structure_wipe {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects disk structure wipe activity (T1561.002) including raw PhysicalDrive handle access, dd.exe/diskpart wiper tool commands, known wiper driver drops to user-writable paths, wiper kernel driver loads, and kernel mode driver service installations from non-system paths. Covers Shamoon (ElRawDisk), HermeticWiper (epmntdrv/EaseUS driver), WhisperGate, CaddyWiper, and KillDisk."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1561.002"
    mitre_attack_technique_name = "Disk Structure Wipe"
    severity = "CRITICAL"
    confidence = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    (
      /* Vector 1: Raw PhysicalDrive handle in process command line */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.command_line, `(?i)physicaldrive`)
      )
      or
      /* Vector 2: dd.exe targeting physical disk or wipe source devices */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)\\dd\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(physicaldrive|if=/dev/zero|if=/dev/urandom)`)
      )
      or
      /* Vector 3: diskpart.exe launched outside legitimate management console */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)\\diskpart\.exe$`)
        and not re.regex($e.principal.process.file.full_path, `(?i)(mmc\.exe|diskmgmt\.msc|taskschd\.msc)`)
      )
      or
      /* Vector 4: Known wiper driver file created in user-writable directory */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)\.sys$`)
        and (
          re.regex($e.target.file.full_path, `(?i)(elrawdsk|elrawdisk|epmntdrv|hermeticwiper|killdisk|caddywiper)`)
          or re.regex($e.target.file.full_path, `(?i)\\(temp|appdata|programdata|users\\[^\\]+\\downloads)\\`)
        )
      )
      or
      /* Vector 5: Known wiper kernel driver load */
      (
        $e.metadata.event_type = "DRIVER_UNCATEGORIZED"
        and re.regex($e.target.file.full_path, `(?i)(elrawdsk|elrawdisk|epmntdrv|hermeticwiper|killdisk)`)
      )
      or
      /* Vector 6: Kernel mode driver service installed from non-system path (Event 7045) */
      (
        $e.metadata.event_type = "SERVICE_UNSPECIFIED"
        and re.regex($e.target.resource.name, `(?i)kernel mode driver`)
        and re.regex($e.target.file.full_path, `(?i)\\(temp|appdata|programdata|users|downloads)\\`)
      )
    )

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $file_path = $e.target.file.full_path
    $event_type = $e.metadata.event_type
    $risk_score = max(
      if(re.regex($e.target.process.command_line, `(?i)physicaldrive`), 75, 0),
      if(re.regex($e.target.file.full_path, `(?i)(elrawdsk|epmntdrv|hermeticwiper)`), 95, 0),
      if($e.metadata.event_type = "SERVICE_UNSPECIFIED", 80, 0),
      if($e.metadata.event_type = "DRIVER_UNCATEGORIZED", 90, 0),
      60
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle Unified Data Model (UDM) Chronicle Windows Event Log Forwarder Chronicle Sysmon Parser CrowdStrike Falcon Chronicle Integration

Required Tables

UDM Events

False Positives

Enterprise storage array management software and HBA drivers (LSI MegaRAID, Broadcom Emulex, Marvell RAID) that stage kernel drivers to non-system directories during firmware update or driver installation procedures
Legitimate forensic imaging operations by incident response or IT asset management teams using dd.exe with PhysicalDrive targets during evidence collection, disk duplication, or secure decommissioning workflows
Full-disk encryption deployment pipelines using VeraCrypt, McAfee Drive Encryption, or Sophos SafeGuard that create and install kernel drivers from %ProgramData% staging paths during initial volume encryption setup before copying to System32\drivers

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|PeFileWritten|DriverLoad|ServiceInstall)$/

/* Vector 1: Raw PhysicalDrive handle in command line */
| IsMBRWipe := if(CommandLine = /(?i)physicaldrive/, 1, 0)

/* Vector 2 & 3: dd.exe or diskpart wiper tool commands */
| IsWiperTool := if(
    #event_simpleName = "ProcessRollup2"
    and (
      (
        ImageFileName = /(?i)\\dd\.exe$/
        and CommandLine = /(?i)(physicaldrive|if=\/dev\/zero|if=\/dev\/urandom)/
      )
      or (
        ImageFileName = /(?i)\\diskpart\.exe$/
        and not ParentBaseFileName = /(?i)(mmc\.exe|diskmgmt\.msc)/
      )
    ),
    1, 0)

/* Vector 4: Known wiper driver PE written to user-writable path */
| IsDriverDrop := if(
    #event_simpleName = "PeFileWritten"
    and TargetFileName = /(?i)\.sys$/
    and (
      TargetFileName = /(?i)(elrawdsk|elrawdisk|epmntdrv|hermeticwiper|killdisk|caddywiper)/
      or TargetFileName = /(?i)\\(temp|appdata|programdata|downloads)\\/
    ),
    1, 0)

/* Vector 5: Known wiper kernel driver load */
| IsKnownWiperDriver := if(
    #event_simpleName = "DriverLoad"
    and ImageFileName = /(?i)(elrawdsk|elrawdisk|epmntdrv|hermeticwiper|killdisk)/,
    1, 0)

/* Vector 6: Service installed with kernel driver binary from non-system path */
| IsServiceInstall := if(
    #event_simpleName = "ServiceInstall"
    and ServiceImagePath = /(?i)\\(temp|appdata|programdata|users|downloads)\\/,
    1, 0)

| SuspicionScore := IsMBRWipe + IsWiperTool + IsDriverDrop + IsKnownWiperDriver + IsServiceInstall
| SuspicionScore > 0

| DetectionVector := case {
    IsKnownWiperDriver = 1 => "WiperDriverLoad";
    IsServiceInstall = 1   => "KernelDriverService";
    IsMBRWipe = 1          => "PhysicalDriveHandle";
    IsWiperTool = 1        => "WiperToolCommand";
    IsDriverDrop = 1       => "WiperDriverDrop";
    *                      => "Unknown"
  }

| select(
    [
      @timestamp, ComputerName, UserName,
      ImageFileName, CommandLine, ParentBaseFileName,
      TargetFileName, ServiceImagePath, ServiceName,
      DetectionVector, SuspicionScore
    ]
  )
| sort(SuspicionScore, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Platform Falcon ProcessRollup2 Telemetry Falcon PeFileWritten Telemetry Falcon DriverLoad Telemetry Falcon ServiceInstall Telemetry

Required Tables

ProcessRollup2 PeFileWritten DriverLoad ServiceInstall

False Positives

CrowdStrike sensor exclusion-listed or allow-listed security products (Carbon Black, Symantec EP, Malwarebytes) whose kernel drivers are staged in non-standard directories by managed deployment tooling (SCCM, Intune, Ansible) before installation — validate against software deployment schedules
Developer or IT test lab environments where dd.exe is used for legitimate disk benchmarking, wipe verification of decommissioned hardware, or forensic imaging — cross-reference ComputerName against asset inventory for end-of-life or lab classification
Automated OS provisioning pipelines (Ansible, Puppet, PowerShell DSC, PXE boot sequences) that invoke diskpart.exe as a child of cmd.exe or powershell.exe rather than the expected mmc.exe parent, especially during server build or cloud VM initialization workflows

Last updated: 2026-04-14 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1561.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Disk Structure Wipe

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections