S0364 RawDisk
RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer’s hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.12
| Item | Value |
|---|---|
| ID | S0364 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 25 March 2019 |
| Last Modified | 28 July 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1485 | Data Destruction | RawDisk was used in Shamoon to write to protected system locations such as the MBR and disk partitions in an effort to destroy data.34 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.2 |
| enterprise | T1561.002 | Disk Structure Wipe | RawDisk was used in Shamoon to help overwrite components of disk structure like the MBR and disk partitions.34 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 52 |
References
-
Edwards, M. (2007, March 14). EldoS Provides Raw Disk Access for Vista and XP. Retrieved March 26, 2019. ↩
-
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. ↩↩↩
-
Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. ↩↩
-
Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. ↩↩
-
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. ↩