T1561.002 IBM QRadar · QRadar

Detect Disk Structure Wipe in IBM QRadar

Adversaries may corrupt or wipe disk data structures such as the Master Boot Record (MBR), GUID Partition Table (GPT), or partition entries to render systems permanently unbootable. Wiper malware (Shamoon, HermeticWiper, WhisperGate, CaddyWiper, KillDisk) achieves this by opening a handle to raw physical disk devices (e.g., \\.\PhysicalDrive0) and overwriting the first 512 bytes (MBR boot sector) or subsequent partition structures. Some malware uses kernel-mode drivers such as ElRawDisk.sys (Shamoon) or the HermeticWiper EaseUS driver to bypass user-mode restrictions and gain direct disk sector access. On Linux systems, adversaries use utilities like dd with /dev/zero or /dev/urandom targeting /dev/sda or /dev/nvme0n1. This technique is frequently combined with worm-like propagation via SMB/Windows Admin Shares, Valid Accounts, and OS Credential Dumping to maximize organizational impact.

MITRE ATT&CK

Tactic
Impact
Technique
T1561 Disk Wipe
Sub-technique
T1561.002 Disk Structure Wipe
Canonical reference
https://attack.mitre.org/techniques/T1561/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    devicehostname AS Hostname,
    username AS AccountName,
    QIDNAME(qid) AS EventName,
    LOGSOURCETYPENAME(devicetype) AS LogSourceType,
    CASE
        WHEN UPPER(UTF8(payload)) LIKE '%PHYSICALDRIVE%'
             AND (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process%')
             THEN 'PhysicalDriveHandle'
        WHEN LOWER(UTF8(payload)) LIKE '%dd.exe%'
             AND (UPPER(UTF8(payload)) LIKE '%PHYSICALDRIVE%' OR UTF8(payload) LIKE '%if=/dev/zero%' OR UTF8(payload) LIKE '%if=/dev/urandom%')
             THEN 'WiperToolCommand'
        WHEN LOWER(UTF8(payload)) LIKE '%diskpart.exe%'
             AND NOT LOWER(UTF8(payload)) LIKE '%mmc.exe%'
             AND (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process%')
             THEN 'WiperToolCommand'
        WHEN QIDNAME(qid) LIKE '%Driver Load%'
             AND (LOWER(UTF8(payload)) LIKE '%elrawdsk%' OR LOWER(UTF8(payload)) LIKE '%epmntdrv%' OR LOWER(UTF8(payload)) LIKE '%hermeticwiper%')
             THEN 'WiperDriverLoad'
        WHEN LOWER(UTF8(payload)) LIKE '%kernel mode driver%'
             AND (LOWER(UTF8(payload)) LIKE '%\temp\%' OR LOWER(UTF8(payload)) LIKE '%\appdata\%' OR LOWER(UTF8(payload)) LIKE '%\programdata\%' OR LOWER(UTF8(payload)) LIKE '%\users\%')
             THEN 'KernelDriverService'
        WHEN QIDNAME(qid) LIKE '%File Create%'
             AND LOWER(UTF8(payload)) LIKE '%.sys%'
             AND (LOWER(UTF8(payload)) LIKE '%elrawdsk%' OR LOWER(UTF8(payload)) LIKE '%epmntdrv%' OR LOWER(UTF8(payload)) LIKE '%hermeticwiper%' OR LOWER(UTF8(payload)) LIKE '%killdisk%')
             THEN 'WiperDriverDrop'
        ELSE 'DiskWipeIndicator'
    END AS DetectionVector,
    UTF8(payload) AS RawPayload
FROM events
WHERE
    starttime > NOW() - 86400000
    AND (
        LOGSOURCETYPENAME(devicetype) LIKE '%Windows%'
        OR LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
        OR LOGSOURCETYPENAME(devicetype) LIKE '%Microsoft%'
    )
    AND (
        /* Vector 1: Raw PhysicalDrive access in process command line (Sysmon 1 / Security 4688) */
        (
            (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process has been created%')
            AND UPPER(UTF8(payload)) LIKE '%PHYSICALDRIVE%'
        )
        /* Vector 2: dd.exe targeting physical disk or wipe source */
        OR (
            (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process has been created%')
            AND LOWER(UTF8(payload)) LIKE '%dd.exe%'
            AND (
                UPPER(UTF8(payload)) LIKE '%PHYSICALDRIVE%'
                OR UTF8(payload) LIKE '%if=/dev/zero%'
                OR UTF8(payload) LIKE '%if=/dev/urandom%'
            )
        )
        /* Vector 3: diskpart.exe outside legitimate management tools */
        OR (
            (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process has been created%')
            AND LOWER(UTF8(payload)) LIKE '%diskpart.exe%'
            AND NOT LOWER(UTF8(payload)) LIKE '%mmc.exe%'
        )
        /* Vector 4: Known wiper driver name in file creation event (Sysmon 11) */
        OR (
            QIDNAME(qid) LIKE '%File Create%'
            AND LOWER(UTF8(payload)) LIKE '%.sys%'
            AND (
                LOWER(UTF8(payload)) LIKE '%elrawdsk%'
                OR LOWER(UTF8(payload)) LIKE '%epmntdrv%'
                OR LOWER(UTF8(payload)) LIKE '%hermeticwiper%'
                OR LOWER(UTF8(payload)) LIKE '%killdisk%'
                OR (
                    (
                        LOWER(UTF8(payload)) LIKE '%\temp\%'
                        OR LOWER(UTF8(payload)) LIKE '%\appdata\%'
                        OR LOWER(UTF8(payload)) LIKE '%\programdata\%'
                    )
                    AND LOWER(UTF8(payload)) LIKE '%.sys%'
                )
            )
        )
        /* Vector 5: Known wiper kernel driver load (Sysmon 6) */
        OR (
            QIDNAME(qid) LIKE '%Driver Load%'
            AND (
                LOWER(UTF8(payload)) LIKE '%elrawdsk%'
                OR LOWER(UTF8(payload)) LIKE '%epmntdrv%'
                OR LOWER(UTF8(payload)) LIKE '%hermeticwiper%'
            )
        )
        /* Vector 6: Kernel mode driver service installed from non-system path (Event 7045) */
        OR (
            QIDNAME(qid) LIKE '%new service%'
            AND LOWER(UTF8(payload)) LIKE '%kernel mode driver%'
            AND (
                LOWER(UTF8(payload)) LIKE '%\temp\%'
                OR LOWER(UTF8(payload)) LIKE '%\appdata\%'
                OR LOWER(UTF8(payload)) LIKE '%\programdata\%'
                OR LOWER(UTF8(payload)) LIKE '%\users\%'
                OR LOWER(UTF8(payload)) LIKE '%\downloads\%'
            )
        )
    )
ORDER BY starttime DESC
LIMIT 500
critical severity medium confidence

QRadar AQL query detecting disk structure wipe indicators (T1561.002) across Windows Security, System, and Sysmon log sources. Covers six detection vectors via payload text matching: raw PhysicalDrive command-line access (Sysmon 1 / Security 4688), dd.exe and diskpart wiper tool commands, known wiper driver file creation (Sysmon 11) for elrawdsk/epmntdrv/HermeticWiper/KillDisk in user-writable paths, wiper kernel driver load events (Sysmon 6), and kernel mode driver service installs from non-standard paths (Event 7045). Results classified by DetectionVector and sorted by recency.

Data Sources

QRadar Windows Security Event Log DSMQRadar Sysmon DSMQRadar Microsoft Windows System Log DSM

Required Tables

events

False Positives & Tuning

  • Enterprise disk backup solutions such as Acronis True Image, Veeam Agent, or Symantec Ghost that use raw PhysicalDrive handles during scheduled backup jobs — validate against backup job schedules and authorized initiating processes
  • Windows Subsystem for Linux (WSL2) or Cygwin providing a dd binary used legitimately by developers or sysadmins for disk cloning or data migration tasks to network targets rather than wipe operations
  • Third-party full-disk encryption products (VeraCrypt, McAfee Drive Encryption, Sophos SafeGuard) that install kernel drivers from %ProgramData% or %Temp% staging paths during initial volume encryption setup before relocating to System32\drivers
Download portable Sigma rule (.yml)

Other platforms for T1561.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MBR Overwrite Simulation on VHD (Windows, Safe)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'PhysicalDrive'. Sysmon Event ID 11: File Creation for mbr-test.vhd in %TEMP%. DeviceProcessEvents will show the PowerShell process with the raw disk handle pattern. Windows Event ID 4688 (if command-line auditing enabled) captures the full PowerShell command. DeviceFileEvents captures the VHD file creation.

  2. Test 2Kernel Driver Drop to Temp Directory (Windows)

    Expected signal: Sysmon Event ID 11: File Created — TargetFilename matches '*\Temp\elrawdsk.sys'. Sysmon Event ID 1: Process Create for powershell.exe invoking New-Service. Windows System Event ID 7045: New Service Installed with ServiceName=RawDiskDrv, ServiceFileName pointing to %TEMP%\elrawdsk.sys, ServiceType=kernel mode driver. Security Event ID 4697: A service was installed in the system.

  3. Test 3Linux MBR Overwrite on Loop Device (Linux, Safe)

    Expected signal: Sysmon for Linux (if deployed): ProcessCreate event showing dd with arguments 'if=/dev/zero of=/dev/loop* bs=512 count=1'. auditd (if configured with execve rules): EXECVE record capturing the full dd command with the loop device path. /var/log/auth.log or journald: sudo/su records if the test required privilege elevation. bash_history: dd command with /dev/zero source.

  4. Test 4WhisperGate-Style Malicious Bootloader Drop Pattern (Windows)

    Expected signal: Sysmon Event ID 11: File Created — TargetFilename '$env:TEMP\stage1.bin'. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing '[Convert]::FromBase64String' and 'WriteAllBytes'. PowerShell ScriptBlock Log Event ID 4104: full script with staging path and base64 operations. DeviceFileEvents: file creation event for stage1.bin in TEMP.

Last updated: 2026-04-14 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1561.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1561Disk Wipe

Related Sub-techniques

T1561.001Disk Content Wipe

Related Techniques

T1561.001Disk Content WipeT1561Disk WipeT1485Data DestructionT1021.002SMB/Windows Admin SharesT1003OS Credential DumpingT1078Valid AccountsT1543.003Windows ServiceT1014RootkitT1529System Shutdown/RebootT1059.003Windows Command Shell

Same Tactic: Impact

Popular Detections