Skip to content

S0364 RawDisk

RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer’s hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.12

Item Value
ID S0364
Associated Names
Version 1.0
Created 25 March 2019
Last Modified 28 July 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1485 Data Destruction RawDisk was used in Shamoon to write to protected system locations such as the MBR and disk partitions in an effort to destroy data.34
enterprise T1561 Disk Wipe -
enterprise T1561.001 Disk Content Wipe RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.2
enterprise T1561.002 Disk Structure Wipe RawDisk was used in Shamoon to help overwrite components of disk structure like the MBR and disk partitions.34

Groups That Use This Software

ID Name References
G0032 Lazarus Group 52