Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0137: Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands

DET0137 is a MITRE ATT&CK detection strategy object for identifying Disk Wipe behavior through direct disk access and destructive commands. Its business si...

EnterpriseDET0137Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0137 is a MITRE ATT&CK detection strategy object for identifying Disk Wipe behavior through direct disk access and destructive commands. Its business significance is availability risk: disk wiping can disrupt systems, network resources, and recovery operations. Because the detection strategy itself has no official description, detection text, platforms, or tactics specified, teams should treat it as a pointer to the related ATT&CK technique T1561, Disk Wipe, rather than as a complete analytic.

Executive priority

Prioritize this as an operational resilience and incident-readiness issue. Leaders should ask whether critical Linux, macOS, Windows, and network-device environments have sufficient logging, access control, backup, and recovery evidence to detect and respond to destructive disk activity. The key decision value is not only whether alerts exist, but whether the organization can prove it would see suspicious raw disk access or destructive command activity before or during a high-impact availability event.

Technical view

This detection strategy is explicitly related to ATT&CK technique T1561, Disk Wipe, under the Impact tactic. SOC and detection engineering teams should validate monitoring around attempts to wipe or corrupt raw disk data, including activity targeting disk sectors or disk structures such as the master boot record where applicable. Because the DET0137 object does not provide official detection logic, teams must derive local analytics from the related technique context and test them against their own endpoint, server, and network-device telemetry.

Likely telemetry

  • Endpoint process execution telemetry for destructive disk-related commands
  • Operating system audit logs showing privileged access to raw disks or block devices
  • File, device, or kernel-level telemetry indicating direct write access to disk devices
  • Security logs for privilege use, administrative sessions, and command execution
  • EDR or host monitoring events on Linux, macOS, and Windows systems where available

Detection direction

  • Confirm that telemetry exists for the platforms identified in the related technique: Linux, macOS, Windows, and Network Devices.
  • Prioritize analytics that combine privileged execution, direct disk access, and destructive command context rather than relying on command names alone.
  • Tune for administrative false positives such as legitimate disk maintenance, imaging, decommissioning, or storage operations.
  • Validate alert routing and escalation because Disk Wipe is an Impact behavior where response speed affects business continuity.
  • Look for blind spots in unmanaged servers, network devices, recovery infrastructure, and systems without endpoint telemetry.

Mitigation priorities

  • Restrict and monitor privileged access capable of direct disk writes or destructive storage operations.
  • Ensure critical systems and network devices have recoverable, tested backups aligned to business recovery objectives.
  • Harden administrative pathways and require strong change-control evidence for legitimate disk maintenance activity.
  • Improve host and network-device logging where raw disk access or destructive commands would otherwise be invisible.
  • Integrate detection with incident response runbooks for rapid isolation, recovery decision-making, and preservation of evidence.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description or detection text. The strongest supported context comes from its relationship to T1561, Disk Wipe, which is an enterprise Impact technique affecting Linux, macOS, Windows, and Network Devices. Treat this as a coverage and validation prompt rather than a complete ATT&CK analytic.

No official DET0137 detection logic, tactics, platforms, aliases, or description were provided. This summary does not assert active exploitation, attribution, product coverage, or guaranteed detection. Local environment architecture, logging depth, administrative procedures, and backup design are required to determine actual defensive coverage.

Official MITRE ATT&CK definition

Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1561 Disk Wipe This object detects Disk Wipe.
Relationship explorer

All related ATT&CK context

detects · Technique T1561: Disk Wipe Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
05098be019c0ea8e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 05098be019c0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0137
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use