Detect Disk Wipe in Sumo Logic CSE
Adversaries may wipe or corrupt raw disk data on specific systems or across a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite arbitrary portions of disk data or target critical disk structures such as the Master Boot Record (MBR) or Volume Boot Record (VBR). A complete wipe of all disk sectors may be attempted using built-in OS utilities, third-party tools, or custom malware. Real-world destructive campaigns using this technique include Shamoon (Saudi Aramco, 2012), WhisperGate (Ukraine, 2022), HermeticWiper (Ukraine, 2022), and Destover (Sony, 2014). Wiper malware frequently chains multiple TA0040 techniques: disabling VSS/recovery first, then overwriting disk content, then corrupting disk structure, to maximize recovery difficulty.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1561 Disk Wipe
- Canonical reference
- https://attack.mitre.org/techniques/T1561/
Sumo Detection Query
(_index=sec_record_process OR _sourceCategory=*Sysmon* OR _sourceCategory=*WinEventLog*)
| where !isEmpty(commandLine)
| where baseImage in ("dd.exe", "diskpart.exe", "format.exe", "cipher.exe", "sdelete.exe",
"wipe.exe", "eraser.exe", "nwipe.exe", "hdderase.exe", "killdisk.exe",
"bcdedit.exe", "vssadmin.exe", "wevtutil.exe")
OR commandLine matches "(?i).*(PhysicalDrive|HarddiskVolume|GLOBALROOT|if=/dev/zero|if=/dev/random|if=/dev/urandom|of=/dev/sd|of=/dev/hd|of=/dev/nvme).*"
| eval cmdLow = toLowerCase(commandLine)
| eval procLow = toLowerCase(baseImage)
| eval RawDiskAccess = if(cmdLow matches ".*(physicaldrive|harddiskvolume|globalroot|if=/dev/zero|if=/dev/random|if=/dev/urandom|of=/dev/sd|of=/dev/hd|of=/dev/nvme).*", 1, 0)
| eval DiskPartWipe = if(procLow = "diskpart.exe" and cmdLow matches ".*clean.*", 1, 0)
| eval FormatSecureWipe = if(procLow = "format.exe" and cmdLow matches ".*/p:[1-9].*", 1, 0)
| eval CipherWipe = if(procLow = "cipher.exe" and cmdLow matches ".*/[wW].*", 1, 0)
| eval SDeleteWipe = if(procLow = "sdelete.exe" and cmdLow matches ".*(-z\b|-zd\b|-c\b|/z\b|/c\b).*", 1, 0)
| eval VSSDelete = if(cmdLow matches ".*(delete shadows|shadowcopy delete|delete shadows /all).*", 1, 0)
| eval BootRecoveryDisable = if(procLow = "bcdedit.exe" and cmdLow matches ".*recoveryenabled.*", 1, 0)
| eval AuditLogClear = if(procLow = "wevtutil.exe" and cmdLow matches ".*( cl |clear-log|/cl).*", 1, 0)
| eval WipeScore = RawDiskAccess + DiskPartWipe + FormatSecureWipe + CipherWipe + SDeleteWipe + VSSDelete + BootRecoveryDisable + AuditLogClear
| where WipeScore > 0
| fields _messageTime, srcDevice_hostname, user_username, baseImage, commandLine,
parentBaseImage, RawDiskAccess, DiskPartWipe, FormatSecureWipe, CipherWipe,
SDeleteWipe, VSSDelete, BootRecoveryDisable, AuditLogClear, WipeScore
| sort by WipeScore desc, _messageTime descSumo Logic Cloud SIEM Enterprise detection for disk wiping activity. Queries normalized sec_record_process records and raw Sysmon/WinEventLog sources, applying an eight-indicator scoring model across known wiper tools and raw disk access patterns. Field names follow the Sumo Logic CSE normalized schema (baseImage, commandLine, srcDevice_hostname, user_username). Maps to MITRE ATT&CK T1561 Disk Wipe.
Data Sources
Required Tables
False Positives & Tuning
- IT operations staff using diskpart or format.exe during provisioning, re-imaging, or authorized disk turnover workflows
- Scheduled backup agents removing stale VSS shadow copies via vssadmin delete shadows as part of defined retention policy
- Forensic or incident response teams accessing raw disk paths during authorized evidence acquisition or triage activities
Other platforms for T1561
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSS Shadow Copy Deletion via vssadmin (Pre-Wipe Preparation)
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine='vssadmin delete shadows /all /quiet'. Security Event ID 4688 (if command line auditing enabled). No Sysmon Event ID 3 expected (local operation). Parent process will be cmd.exe or powershell.exe in test context.
- Test 2Boot Recovery Disable via bcdedit (Pre-Wipe Preparation)
Expected signal: Sysmon Event ID 1: two Process Create events for bcdedit.exe — first with CommandLine containing 'recoveryenabled No', second with 'bootstatuspolicy ignoreallfailures'. Security Event ID 4688 for both (if command line auditing enabled). No network events expected.
- Test 3Secure Free Space Overwrite via cipher /w
Expected signal: Sysmon Event ID 1: Process Create with Image=cipher.exe, CommandLine='cipher /w:C:\Users\...\AppData\Local\Temp' (path will be expanded). Sysmon Event ID 11: multiple temporary file creation events (EFSTMPWP.tmp files) in the target directory as cipher creates temporary overwrite files. Process will run for several seconds to minutes depending on free space.
- Test 4Diskpart Disk Clean via Script File (Simulated — Uses Virtual Disk)
Expected signal: Sysmon Event ID 1: two Process Create events for diskpart.exe — first with /s dp_create.txt (VHD creation), second with /s dp_wipe.txt (clean all). Sysmon Event ID 11: file creation events for the .vhd and .txt script files in %TEMP%. The actual 'clean all' command is in the script file, not the command line, so analysts should correlate with file creation of the script files.
- Test 5Linux Raw Disk Overwrite Simulation via dd (File Target — Safe)
Expected signal: Linux auditd EXECVE record with comm=dd, a0=if=/dev/zero, a1=of=/tmp/argus_wipe_test.bin. Syslog process creation record. If Falco is deployed: process_started rule matching dd with if=/dev/zero pattern. The command generates 40MB written to disk — watch for I/O spike in monitoring. Note: real wiper uses of=/dev/sda or similar block device path.
References (14)
- https://attack.mitre.org/techniques/T1561/
- https://attack.mitre.org/techniques/T1561/001/
- https://attack.mitre.org/techniques/T1561/002/
- https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/D_through_E.html#wp3557227463
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://www.mandiant.com/resources/blog/ukraine-and-disk-wiping-attacks
- https://www.welivesecurity.com/2022/01/15/hermeticwiper-new-data-wiping-malware-hits-ukraine/
- https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1561/T1561.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskpart
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cipher
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
Unlock Pro Content
Get the full detection package for T1561 including response playbook, investigation guide, and atomic red team tests.