Skip to content

DET0316 Detection Strategy for Disk Content Wipe via Direct Access and Overwrite

Item Value
ID DET0316
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1561.001 (Disk Content Wipe)

Analytics

Windows

AN0882

Processes attempting raw disk access via \.\PhysicalDrive paths, abnormal file I/O to MBR/boot sectors, or loading of third-party drivers (e.g., RawDisk) that enable disk overwrite. Correlate process creation, privilege usage, and disk modification events within a short time window.

Log Sources
Data Component Name Channel
User Account Metadata (DC0013) WinEventLog:Security EventCode=4673
Drive Modification (DC0046) WinEventLog:Sysmon Raw disk writes targeting \.\PhysicalDrive* or MBR locations
Driver Load (DC0079) WinEventLog:Sysmon EventCode=6
Mutable Elements
Field Description
ProcessWhitelist Backup, forensics, or imaging tools may perform legitimate raw disk access — requires tuning per environment.
TimeWindow Correlation threshold for process execution, driver load, and raw disk writes.

Linux

AN0883

Execution of destructive utilities (dd, shred, wipe) targeting block devices, or processes invoking syscalls to directly overwrite /dev/sd or /dev/nvme partitions. Correlate abnormal file write attempts with shell process execution and block device access.

Log Sources
Data Component Name Channel
Drive Access (DC0054) auditd:SYSCALL open/write syscalls to block devices (/dev/sd, /dev/nvme)
Process Creation (DC0032) auditd:EXECVE Execution of dd, shred, or wipe with arguments targeting block devices
Mutable Elements
Field Description
TargetDevices Exclude removable drives or designated partitions that may be overwritten during maintenance.
EntropyThreshold Tune detection for pseudorandom write patterns to reduce false positives during high-volume I/O.

macOS

AN0884

Abnormal invocation of diskutil or asr with destructive flags (eraseDisk, zeroDisk), or low-level IOKit calls that overwrite raw disk content. Detect correlation between elevated process execution and disk erase operations.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog diskutil eraseDisk/zeroDisk or asr restore with destructive flags
Drive Modification (DC0046) macos:unifiedlog IOKit raw disk write activity targeting physical devices
Mutable Elements
Field Description
AdminToolWhitelist Provisioning workflows may legitimately use diskutil/asr — whitelist by user or system context.

Network Devices

AN0885

Execution of CLI commands erasing file systems or storage (erase flash:, format disk, erase nvram:). Detect authentication events followed by destructive commands within the same privileged session.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:cli erase flash:, erase nvram:, format disk
User Account Authentication (DC0002) networkdevice:syslog Privileged login followed by destructive command sequence
Mutable Elements
Field Description
PrivilegedUsers Tune to exclude approved maintenance performed by authorized administrators.
CommandPatterns Expand or narrow destructive command coverage depending on vendor-specific syntax.