Skip to content

DET0137 Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands

Item Value
ID DET0137
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1561 (Disk Wipe)

Analytics

Windows

AN0384

Unusual direct disk access attempts (e.g., use of \.\PhysicalDrive notation), abnormal writes to MBR/boot sectors, and installation of kernel drivers that grant raw disk access. Correlate anomalous process creation with disk modification attempts and driver loads.

Log Sources
Data Component Name Channel
User Account Metadata (DC0013) WinEventLog:Security EventCode=4673
Drive Modification (DC0046) WinEventLog:Sysmon Raw disk write access via \.\PhysicalDrive* or \.\C:
Driver Load (DC0079) WinEventLog:Sysmon EventCode=6
Mutable Elements
Field Description
ProcessWhitelist Legitimate disk imaging or backup tools may trigger raw disk access — must be excluded per environment.
TimeWindow Correlate disk access, driver load, and process execution within a short timeframe to minimize false positives.

Linux

AN0385

Processes invoking destructive commands (dd, shred, wipe) with raw device targets (e.g., /dev/sda, /dev/nvme0n1). Detect direct writes to disk partitions and abnormal superblock or bootloader modifications. Correlate shell execution with subsequent block device I/O.

Log Sources
Data Component Name Channel
Drive Access (DC0054) auditd:SYSCALL open/write syscalls on /dev/sd or /dev/nvme
Process Creation (DC0032) auditd:EXECVE Execution of dd, shred, wipe targeting block devices
Mutable Elements
Field Description
TargetDevices Tune to exclude removable drives or test partitions commonly written by administrators.
EntropyThreshold Detects large blocks of pseudorandom data being written; may need tuning for backup/crypto workloads.

macOS

AN0386

Abnormal invocation of diskutil, asr, or low-level APIs (IOKit) to erase/partition drives. Correlate process execution with unified log entries showing destructive disk operations.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog diskutil eraseDisk / asr restore with destructive flags
Drive Modification (DC0046) macos:unifiedlog IOKit disk write calls targeting raw devices
Mutable Elements
Field Description
AdminToolWhitelist System administrators may legitimately use diskutil/asr for provisioning — whitelist by user or context.

Network Devices

AN0387

Execution of destructive CLI commands such as ‘erase startup-config’, ‘erase flash:’ or ‘format disk’ on routers/switches. Detect privilege level escalation preceding destructive commands.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:cli erase flash:, erase startup-config, format disk
User Account Authentication (DC0002) networkdevice:syslog User privilege escalation to level 15/root prior to destructive commands
Mutable Elements
Field Description
PrivilegedUsers Tune to exclude approved maintenance sessions by known administrators.
CommandPatterns Adjust monitored destructive command list depending on device vendor and OS.