ID | F0014 |
Objective(s) | Impact |
Related ATT&CK Techniques | Disk Wipe (T1561.001) |
Impact Type | Availability |
Version | 3.2 |
Created | 15 April 2021 |
Last Modified | 30 April 2024 |
Malware may erase the content of storage devices. This behavior is different than Data Destruction (E1485) because sections of the disk are erased rather than individual files.
This description refines the ATT&CK Disk Wipe: Disk Content Wipe (T1561.001) sub-technique.
Name | Date | Method | Description |
---|---|---|---|
Shamoon | 2012 | -- | An overwrite component will overwrite the MBR so that the compromised computer can no longer start. [1] |
Tool: capa | Mapping | APIs |
---|---|---|
overwrite Master Boot Record (MBR) | Disk Wipe (F0014) | kernel32.WriteFile |
delete drive layout via IOCTL | Disk Wipe (F0014) | -- |
Tool: CAPE | Mapping | APIs |
---|---|---|
deletes_shadow_copies | Disk Wipe (F0014) | ShellExecuteExW, NtCreateUserProcess, CreateProcessInternalW |
deletes_system_state_backup | Disk Wipe (F0014) | ShellExecuteExW, NtCreateUserProcess, CreateProcessInternalW |
wiper_zeroedbytes | Disk Wipe (F0014) | NtWriteFile |
[1] https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=281521ea-2d18-4bf9-9e88-8b1dc41cfdb6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments