Detect Disk Structure Wipe in Sumo Logic CSE
Adversaries may corrupt or wipe disk data structures such as the Master Boot Record (MBR), GUID Partition Table (GPT), or partition entries to render systems permanently unbootable. Wiper malware (Shamoon, HermeticWiper, WhisperGate, CaddyWiper, KillDisk) achieves this by opening a handle to raw physical disk devices (e.g., \\.\PhysicalDrive0) and overwriting the first 512 bytes (MBR boot sector) or subsequent partition structures. Some malware uses kernel-mode drivers such as ElRawDisk.sys (Shamoon) or the HermeticWiper EaseUS driver to bypass user-mode restrictions and gain direct disk sector access. On Linux systems, adversaries use utilities like dd with /dev/zero or /dev/urandom targeting /dev/sda or /dev/nvme0n1. This technique is frequently combined with worm-like propagation via SMB/Windows Admin Shares, Valid Accounts, and OS Credential Dumping to maximize organizational impact.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1561 Disk Wipe
- Sub-technique
- T1561.002 Disk Structure Wipe
- Canonical reference
- https://attack.mitre.org/techniques/T1561/002/
Sumo Detection Query
(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=windows/system OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*)
| where EventCode in ("1", "4688", "11", "6", "7045")
/* Extract key fields from structured log messages */
| parse regex "(?i)CommandLine[\s=:]+(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?i)(?:Image|ProcessName)[\s=:]+(?P<ProcessImage>[^\r\n]+)" nodrop
| parse regex "(?i)ParentImage[\s=:]+(?P<ParentImage>[^\r\n]+)" nodrop
| parse regex "(?i)TargetFilename[\s=:]+(?P<TargetFilename>[^\r\n]+)" nodrop
| parse regex "(?i)ImageLoaded[\s=:]+(?P<DriverLoaded>[^\r\n]+)" nodrop
| parse regex "(?i)ServiceFileName[\s=:]+(?P<ServiceFileName>[^\r\n]+)" nodrop
| parse regex "(?i)ServiceType[\s=:]+(?P<ServiceType>[^\r\n]+)" nodrop
| parse regex "(?i)ServiceName[\s=:]+(?P<ServiceName>[^\r\n]+)" nodrop
| parse regex "(?i)(?:Computer|Hostname)[\s=:]+(?P<Computer>[^\r\n]+)" nodrop
| parse regex "(?i)(?:User|Account)[\s=:]+(?P<AccountName>[^\r\n]+)" nodrop
/* Score each detection vector */
| eval IsMBRWipe = if(matches(CommandLine, "(?i)PhysicalDrive"), 1, 0)
| eval IsWiperTool = if(
EventCode in ("1", "4688") and (
(matches(ProcessImage, "(?i)\\dd\.exe$") and (
matches(CommandLine, "(?i)PhysicalDrive")
or matches(CommandLine, "if=/dev/zero")
or matches(CommandLine, "if=/dev/urandom")
))
or (
matches(ProcessImage, "(?i)\\diskpart\.exe$")
and not matches(ParentImage, "(?i)(mmc\.exe|diskmgmt\.msc)")
)
), 1, 0)
| eval IsDriverDrop = if(
EventCode = "11"
and matches(TargetFilename, "(?i)\.sys$")
and (
matches(TargetFilename, "(?i)(elrawdsk|elrawdisk|epmntdrv|hermeticwiper|killdisk|caddywiper)")
or (
matches(TargetFilename, "(?i)\\(temp|appdata|programdata|downloads)\\")
and matches(TargetFilename, "(?i)\.sys$")
)
), 1, 0)
| eval IsDriverLoad = if(
EventCode = "6"
and matches(DriverLoaded, "(?i)(elrawdsk|elrawdisk|epmntdrv|hermeticwiper|killdisk)"),
1, 0)
| eval IsServiceInstall = if(
EventCode = "7045"
and matches(ServiceType, "(?i)kernel mode driver")
and matches(ServiceFileName, "(?i)\\(temp|appdata|programdata|users|downloads)\\"),
1, 0)
| eval SuspicionScore = IsMBRWipe + IsWiperTool + IsDriverDrop + IsDriverLoad + IsServiceInstall
| where SuspicionScore > 0
| eval DetectionVector = if(IsDriverLoad = 1, "WiperDriverLoad",
if(IsMBRWipe = 1, "PhysicalDriveHandle",
if(IsServiceInstall = 1, "KernelDriverService",
if(IsWiperTool = 1, "WiperToolCommand",
if(IsDriverDrop = 1, "WiperDriverDrop", "Unknown")))))
| fields _messageTime, Computer, AccountName, EventCode, ProcessImage, CommandLine, ParentImage, TargetFilename, DriverLoaded, ServiceFileName, ServiceName, DetectionVector, SuspicionScore
| sort by SuspicionScore desc, _messageTime descSumo Logic detection for T1561.002 Disk Structure Wipe. Queries Windows Security, System, and Sysmon source categories for EventCodes 1/4688 (process creation) with raw PhysicalDrive command-line references, dd.exe/diskpart wiper tool execution patterns, EventCode 11 (file creation) of known wiper driver names to user-writable paths, EventCode 6 (driver load) for known wiper drivers, and EventCode 7045 (new service install) for kernel mode drivers from non-system directories. Assigns suspicion scores per vector and classifies each alert with a DetectionVector label.
Data Sources
Required Tables
False Positives & Tuning
- Penetration testing tools or authorized red team exercises using dd.exe or custom raw disk drivers for disk imaging tasks — cross-reference against approved testing windows and red team change tickets
- Software installers for storage management products (Intel RST, Samsung Magician, Seagate Toolkit, WD Dashboard) that stage kernel drivers in %ProgramData% or %Temp% before relocating to System32\drivers during setup
- IT provisioning workflows using WinPE, MDT, or SCCM task sequences that invoke diskpart.exe as a child of cmd.exe or powershell.exe rather than mmc.exe during automated OS deployment pipelines
Other platforms for T1561.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MBR Overwrite Simulation on VHD (Windows, Safe)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'PhysicalDrive'. Sysmon Event ID 11: File Creation for mbr-test.vhd in %TEMP%. DeviceProcessEvents will show the PowerShell process with the raw disk handle pattern. Windows Event ID 4688 (if command-line auditing enabled) captures the full PowerShell command. DeviceFileEvents captures the VHD file creation.
- Test 2Kernel Driver Drop to Temp Directory (Windows)
Expected signal: Sysmon Event ID 11: File Created — TargetFilename matches '*\Temp\elrawdsk.sys'. Sysmon Event ID 1: Process Create for powershell.exe invoking New-Service. Windows System Event ID 7045: New Service Installed with ServiceName=RawDiskDrv, ServiceFileName pointing to %TEMP%\elrawdsk.sys, ServiceType=kernel mode driver. Security Event ID 4697: A service was installed in the system.
- Test 3Linux MBR Overwrite on Loop Device (Linux, Safe)
Expected signal: Sysmon for Linux (if deployed): ProcessCreate event showing dd with arguments 'if=/dev/zero of=/dev/loop* bs=512 count=1'. auditd (if configured with execve rules): EXECVE record capturing the full dd command with the loop device path. /var/log/auth.log or journald: sudo/su records if the test required privilege elevation. bash_history: dd command with /dev/zero source.
- Test 4WhisperGate-Style Malicious Bootloader Drop Pattern (Windows)
Expected signal: Sysmon Event ID 11: File Created — TargetFilename '$env:TEMP\stage1.bin'. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing '[Convert]::FromBase64String' and 'WriteAllBytes'. PowerShell ScriptBlock Log Event ID 4104: full script with staging path and base64 operations. DeviceFileEvents: file creation event for stage1.bin in TEMP.
References (10)
- https://attack.mitre.org/techniques/T1561/002/
- https://www.symantec.com/connect/blogs/shamoon-attacks
- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
- https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
- https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1561.002/T1561.002.md
- https://docs.microsoft.com/sysinternals/downloads/sysmon
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1561.002 including response playbook, investigation guide, and atomic red team tests.