title: Disk Content Wipe (T1561.001)
id: df00tech-t1561-001
status: experimental
description: "Adversaries may erase the contents of storage devices to interrupt availability of systems and network resources. Unlike file-level destruction, disk content wiping targets arbitrary raw disk sectors, making recovery through normal storage interfaces impossible. Attackers gain direct disk access via OS raw device handles (e.g., \\\\.\\PhysicalDrive0 on Windows, /dev/sda on Linux), third-party kernel drivers like RawDisk (eltrawdrv.sys), or built-in utilities such as cipher.exe, dd, and shred. Real-world destructive campaigns include HermeticWiper (Ukraine 2022), WhisperGate (Ukraine 2022), AcidRain/AcidPour (satellite modems), and Lazarus Group's WhiskeyAlfa malware overwriting the first 64MB of every drive. These attacks are often staged alongside credential dumping and lateral movement to maximize organizational impact."
references:
  - https://attack.mitre.org/techniques/T1561/001/
  - https://df00tech.com/detections/T1561.001
author: df00tech
date: 2026/03/12
tags:
  - attack.t1561.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - cipher.exe /w legitimately used by IT security teams to comply with NIST 800-88 media sanitization policies before asset disposal or drive reuse
  - "Disk imaging or cloning tools (Clonezilla, Acronis, Norton Ghost, Macrium Reflect) that access raw disk handles during backup or restoration operations"
  - "Disk benchmarking utilities (CrystalDiskMark, HD Tune, ATTO Disk Benchmark) that open raw device handles for performance testing"
  - "Forensic workstations running EnCase, FTK, or Autopsy that access physical drives directly during evidence collection"
  - "Virtualization platforms (VMware, Hyper-V, VirtualBox) creating or reconfiguring virtual disk files with raw device access"
level: critical