T1561 Microsoft Sentinel · KQL

Detect Disk Wipe in Microsoft Sentinel

Adversaries may wipe or corrupt raw disk data on specific systems or across a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite arbitrary portions of disk data or target critical disk structures such as the Master Boot Record (MBR) or Volume Boot Record (VBR). A complete wipe of all disk sectors may be attempted using built-in OS utilities, third-party tools, or custom malware. Real-world destructive campaigns using this technique include Shamoon (Saudi Aramco, 2012), WhisperGate (Ukraine, 2022), HermeticWiper (Ukraine, 2022), and Destover (Sony, 2014). Wiper malware frequently chains multiple TA0040 techniques: disabling VSS/recovery first, then overwriting disk content, then corrupting disk structure, to maximize recovery difficulty.

MITRE ATT&CK

Tactic
Impact
Technique
T1561 Disk Wipe
Canonical reference
https://attack.mitre.org/techniques/T1561/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let KnownWipingTools = dynamic([
  "dd.exe", "diskpart.exe", "format.exe", "cipher.exe", "sdelete.exe",
  "wipe.exe", "eraser.exe", "nwipe.exe", "hdderase.exe", "killdisk.exe",
  "bcdedit.exe", "vssadmin.exe", "wevtutil.exe"
]);
let RawDiskPatterns = dynamic([
  "\\\\.\\PhysicalDrive", "\\\\.\\HarddiskVolume", "\\\\.\\GLOBALROOT",
  "if=/dev/zero", "if=/dev/random", "if=/dev/urandom",
  "of=/dev/sd", "of=/dev/hd", "of=/dev/nvme"
]);
let WipeCommandPatterns = dynamic([
  "clean all", "/p:1", "/p:2", "/p:3", "/p:4", "/p:5", "/p:6", "/p:7",
  "cipher /w", "cipher /W", "-z ", "-zd ", "-c ",
  "delete shadows", "shadowcopy delete", "Delete Shadows /All",
  "recoveryenabled No", "recoveryenabled no",
  "bcdedit /set", "wevtutil cl ", "wevtutil.exe cl"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName in~ (KnownWipingTools) and ProcessCommandLine has_any (WipeCommandPatterns))
    or ProcessCommandLine has_any (RawDiskPatterns)
| extend RawDiskAccess = ProcessCommandLine has_any ("\\\\.\\PhysicalDrive", "\\\\.\\HarddiskVolume", "if=/dev/zero", "if=/dev/random")
| extend DiskPartWipe = FileName =~ "diskpart.exe" and ProcessCommandLine has "clean"
| extend FormatSecureWipe = FileName =~ "format.exe" and ProcessCommandLine matches regex @"/p:[1-9]"
| extend CipherWipe = FileName =~ "cipher.exe" and (ProcessCommandLine has "/w" or ProcessCommandLine has "/W")
| extend SDeleteWipe = FileName =~ "sdelete.exe" and ProcessCommandLine has_any ("-z", "-zd", "-c", "/z", "/c")
| extend VSSDelete = ProcessCommandLine has_any ("delete shadows", "shadowcopy delete", "Delete Shadows /All", "Delete Shadows /all")
| extend BootRecoveryDisable = FileName =~ "bcdedit.exe" and ProcessCommandLine has "recoveryenabled"
| extend AuditLogClear = FileName =~ "wevtutil.exe" and ProcessCommandLine has_any ("cl ", "clear-log")
| extend WipeScore = toint(RawDiskAccess) + toint(DiskPartWipe) + toint(FormatSecureWipe) + toint(CipherWipe) + toint(SDeleteWipe) + toint(VSSDelete) + toint(BootRecoveryDisable) + toint(AuditLogClear)
| where WipeScore > 0
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RawDiskAccess, DiskPartWipe, FormatSecureWipe, CipherWipe, SDeleteWipe,
         VSSDelete, BootRecoveryDisable, AuditLogClear, WipeScore
| sort by WipeScore desc, Timestamp desc
critical severity high confidence

Detects disk wiping activity using Microsoft Defender for Endpoint DeviceProcessEvents. Identifies execution of known wiping tools (diskpart, dd, sdelete, cipher, format) with destructive flags, raw disk device path access (\\PhysicalDrive, \\HarddiskVolume), Volume Shadow Copy deletion (precursor to wiping), boot recovery disabling via bcdedit, and audit log clearing. A composite WipeScore is computed per event to prioritize detections with multiple co-occurring indicators, which is characteristic of multi-stage destructive malware campaigns.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • IT operations using diskpart clean or format /p: for decommissioning hardware before asset disposal or reimaging
  • Security teams running SDelete or cipher /w as part of data sanitization workflows on endpoints being retired
  • Backup and disaster recovery software (Acronis, Veeam) that accesses raw PhysicalDrive handles during bare-metal restore operations
  • Forensic tools (FTK Imager, dd for Windows) used by incident responders that access \\PhysicalDrive paths for imaging
  • System administrators using vssadmin delete shadows as part of scheduled disk space reclamation on servers with large VSS allocations
Download portable Sigma rule (.yml)

Other platforms for T1561

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VSS Shadow Copy Deletion via vssadmin (Pre-Wipe Preparation)

    Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine='vssadmin delete shadows /all /quiet'. Security Event ID 4688 (if command line auditing enabled). No Sysmon Event ID 3 expected (local operation). Parent process will be cmd.exe or powershell.exe in test context.

  2. Test 2Boot Recovery Disable via bcdedit (Pre-Wipe Preparation)

    Expected signal: Sysmon Event ID 1: two Process Create events for bcdedit.exe — first with CommandLine containing 'recoveryenabled No', second with 'bootstatuspolicy ignoreallfailures'. Security Event ID 4688 for both (if command line auditing enabled). No network events expected.

  3. Test 3Secure Free Space Overwrite via cipher /w

    Expected signal: Sysmon Event ID 1: Process Create with Image=cipher.exe, CommandLine='cipher /w:C:\Users\...\AppData\Local\Temp' (path will be expanded). Sysmon Event ID 11: multiple temporary file creation events (EFSTMPWP.tmp files) in the target directory as cipher creates temporary overwrite files. Process will run for several seconds to minutes depending on free space.

  4. Test 4Diskpart Disk Clean via Script File (Simulated — Uses Virtual Disk)

    Expected signal: Sysmon Event ID 1: two Process Create events for diskpart.exe — first with /s dp_create.txt (VHD creation), second with /s dp_wipe.txt (clean all). Sysmon Event ID 11: file creation events for the .vhd and .txt script files in %TEMP%. The actual 'clean all' command is in the script file, not the command line, so analysts should correlate with file creation of the script files.

  5. Test 5Linux Raw Disk Overwrite Simulation via dd (File Target — Safe)

    Expected signal: Linux auditd EXECVE record with comm=dd, a0=if=/dev/zero, a1=of=/tmp/argus_wipe_test.bin. Syslog process creation record. If Falco is deployed: process_started rule matching dd with if=/dev/zero pattern. The command generates 40MB written to disk — watch for I/O spike in monitoring. Note: real wiper uses of=/dev/sda or similar block device path.

Last updated: 2026-04-20 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1561 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1561.001Disk Content WipeT1561.002Disk Structure WipeT1485Data DestructionT1490Inhibit System RecoveryT1070.001Clear Windows Event LogsT1003OS Credential DumpingT1021.002SMB/Windows Admin SharesT1569.002Service ExecutionT1078Valid AccountsT1059.001PowerShell

Same Tactic: Impact

Popular Detections