S0364: RawDisk
RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.[1][2]
Analyst context for executives and security teams
RawDisk matters because it is legitimate Windows driver software that can directly modify files, disks, and partitions, including from user-mode processes in ways that may bypass normal Windows security controls. In ATT&CK, its relevance is tied to destructive outcomes: data destruction, disk content wiping, and disk structure wiping. For leaders, the key issue is operational resilience: if a tool with raw disk access is introduced or abused, endpoint recovery, backup integrity, and rapid incident containment become more important than simple malware removal.
Executive priority
Treat RawDisk-like capability as a high-consequence availability risk rather than a routine software finding. The ATT&CK relationships connect it to impact techniques and to disruptive/destructive activity contexts, so executives should ask whether critical Windows systems have controls and monitoring for unauthorized driver use, raw disk access, and destructive changes to boot or partition structures. This is also relevant to audit and resilience evidence: backup restoration testing, privileged software governance, endpoint logging, and incident response runbooks should demonstrate readiness for destructive disk activity.
Technical view
For SOC, detection engineering, and IR teams, validate visibility on Windows endpoints for driver installation/loading, unusual processes interacting with physical disks or partitions, and events preceding destructive impact. ATT&CK provides no official detection text for RawDisk, so coverage must be derived from the tool description and its relationships to T1485, T1561.001, and T1561.002. Prioritize critical servers and administrator workstations, and correlate raw disk access indicators with privilege use, new or uncommon drivers, process ancestry, and rapid changes to disk structures or data availability.
Likely telemetry
- Windows endpoint telemetry for driver installation and driver load activity
- Process execution and process ancestry on Windows systems
- File and disk access telemetry showing direct interaction with disks, partitions, or raw device paths
- Privilege and administrative activity logs related to software or driver deployment
- Endpoint security alerts for destructive behavior, disk wiping, or boot/partition modification
Detection direction
- Establish a baseline of legitimate low-level disk utilities and drivers in the environment; alert on uncommon or unauthorized raw disk access tools.
- Tune detections around the combination of driver activity plus direct disk or partition modification, rather than the name alone, because the supplied object describes RawDisk as legitimate commercial software.
- Prioritize correlation with impact behavior mapped through relationships: Data Destruction, Disk Content Wipe, and Disk Structure Wipe.
- Validate whether existing EDR/SIEM logging captures the events needed before a destructive action completes; post-impact evidence may be too late for containment.
- Account for false positives from backup, disk management, forensic, encryption, and storage administration tools, but require documented business justification for such activity on critical systems.
Mitigation priorities
- Maintain strict governance over who can install or load drivers and low-level disk utilities on Windows systems.
- Limit administrative privileges and review exceptions for systems where raw disk access tools are legitimately required.
- Harden critical Windows systems with endpoint controls that can restrict unauthorized driver or disk modification behavior where supported by existing security architecture.
- Test recovery procedures for destructive disk scenarios, including restoration of systems affected by content wiping or boot/partition structure damage.
- Ensure incident response plans include rapid isolation, preservation of available evidence, and recovery decision points for destructive impact events.
Analyst notes and limits
The supplied ATT&CK object does not assign tactics directly to RawDisk and provides no official detection guidance. Its decision value comes from the official description and relationships showing use with impact techniques, plus relationships to HomeLand Justice and Lazarus Group. Those relationships should inform threat modeling, but they do not by themselves prove current activity or exposure in any specific environment.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert active exploitation, customer exposure, or guaranteed detection. Local validation is required to determine whether RawDisk or similar raw disk access capability exists, whether it is authorized, and whether telemetry is sufficient to detect destructive use before business disruption.
RawDisk
RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.CitationNovetta Blockbuster Destructive Malware |
| Enterprise | T1485 | Data Destruction |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
C0038: HomeLand Justice
HomeLand Justice was a disruptive cyber campaign conducted by Iranian state-affiliated actors against Albanian government networks in July and September 2022. The activity combined ransomware, wiper malware, and data leak operations. Initial access for HomeLand Justice was established as early as May 2021, and threat actors moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the destructive phase of the operation. Responsibility was claimed by the "HomeLand Justice" front, which framed the campaign as retaliation against the Mujahedeen-e Khalq (MEK), an Iranian opposition group with a presence in Albania. Multiple Iran-nexus groups are assessed to have participated in the campaign, including HEXANE who probed victim infrastructure.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics following public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b71be46055fd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
EldoS RawDisk ITpro
Edwards, M. (2007, March 14). EldoS Provides Raw Disk Access for Vista and XP. Retrieved March 26, 2019.
Open source URL -
[2]
Novetta Blockbuster Destructive Malware
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
Open source URL -
[3]
mitre-attack S0364Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.