Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[1]
On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as erase.[2]
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过滥用合法磁盘工具的标准功能接口,使擦除操作在系统日志中呈现为正常管理行为。例如利用DiskPart的clean命令实施扇区覆盖,或借助dd命令的conv=notrunc参数进行局部数据破坏。此类操作完全符合工具设计规范,导致安全设备难以从命令行参数或API调用序列中识别恶意意图。
在隐蔽扇区覆盖技术中,攻击者采用多次随机数据覆写或符合NIST标准的擦除算法,使原始数据恢复成为不可能。部分高级实现还会加密目标数据后再执行覆盖,通过密码学手段彻底消除数据残余特征,阻断取证分析。
时间延迟分阶段擦除通过将破坏过程分散至数周甚至数月,使得单个擦除事件的特征浓度低于检测阈值。攻击者结合目标系统的业务周期(如财务月末结算期)动态调整擦除节奏,进一步将恶意活动隐匿在合法的磁盘高负载状态中。
| ID | Mitigation | Description |
|---|---|---|
| M1053 | Data Backup |
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[3] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor for direct access read/write attempts using the |
| DS0016 | Drive | Drive Access |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
| Drive Modification |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
| DS0027 | Driver | Driver Load |
Monitor for unusual kernel driver installation activity that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. |
| DS0009 | Process | Process Creation |
Monitor newly executed processes that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. |