title: Disk Wipe (T1561)
id: df00tech-t1561
status: experimental
description: "Adversaries may wipe or corrupt raw disk data on specific systems or across a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite arbitrary portions of disk data or target critical disk structures such as the Master Boot Record (MBR) or Volume Boot Record (VBR). A complete wipe of all disk sectors may be attempted using built-in OS utilities, third-party tools, or custom malware. Real-world destructive campaigns using this technique include Shamoon (Saudi Aramco, 2012), WhisperGate (Ukraine, 2022), HermeticWiper (Ukraine, 2022), and Destover (Sony, 2014). Wiper malware frequently chains multiple TA0040 techniques: disabling VSS/recovery first, then overwriting disk content, then corrupting disk structure, to maximize recovery difficulty."
references:
  - https://attack.mitre.org/techniques/T1561/
  - https://df00tech.com/detections/T1561
author: df00tech
date: 2026/04/20
tags:
  - attack.t1561
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT operations using diskpart clean or format /p: for decommissioning hardware before asset disposal or reimaging"
  - Security teams running SDelete or cipher /w as part of data sanitization workflows on endpoints being retired
  - "Backup and disaster recovery software (Acronis, Veeam) that accesses raw PhysicalDrive handles during bare-metal restore operations"
  - "Forensic tools (FTK Imager, dd for Windows) used by incident responders that access \\\\PhysicalDrive paths for imaging"
  - System administrators using vssadmin delete shadows as part of scheduled disk space reclamation on servers with large VSS allocations
level: critical