title: Disk Structure Wipe (T1561.002)
id: df00tech-t1561-002
status: experimental
description: "Adversaries may corrupt or wipe disk data structures such as the Master Boot Record (MBR), GUID Partition Table (GPT), or partition entries to render systems permanently unbootable. Wiper malware (Shamoon, HermeticWiper, WhisperGate, CaddyWiper, KillDisk) achieves this by opening a handle to raw physical disk devices (e.g., \\\\.\\PhysicalDrive0) and overwriting the first 512 bytes (MBR boot sector) or subsequent partition structures. Some malware uses kernel-mode drivers such as ElRawDisk.sys (Shamoon) or the HermeticWiper EaseUS driver to bypass user-mode restrictions and gain direct disk sector access. On Linux systems, adversaries use utilities like dd with /dev/zero or /dev/urandom targeting /dev/sda or /dev/nvme0n1. This technique is frequently combined with worm-like propagation via SMB/Windows Admin Shares, Valid Accounts, and OS Credential Dumping to maximize organizational impact."
references:
  - https://attack.mitre.org/techniques/T1561/002/
  - https://df00tech.com/detections/T1561.002
author: df00tech
date: 2026/04/14
tags:
  - attack.t1561.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate disk imaging and backup software (Acronis True Image, Macrium Reflect, Clonezilla agent) that opens PhysicalDrive handles for sector-level backup and restore operations"
  - "Hardware diagnostic and benchmarking utilities (CrystalDiskInfo, HD Tune, manufacturer tools like Seagate SeaTools) that read raw disk sectors to retrieve SMART data or perform surface scans"
  - "Forensic acquisition tools (FTK Imager, dc3dd, Paladin) used by security teams that write forensic images by accessing physical disk handles directly"
  - System administrators using dd.exe (GnuWin32/UnxUtils port) for disk cloning or image creation in lab and deployment environments
  - "Virtualization platforms (VMware vSphere, VirtualBox, Hyper-V) that create and manage virtual disk files using driver-level disk access"
level: critical