S9002: Diskpart
Diskpart is a Windows command-line utility that is used to manage the computer’s drives, which includes disks, partitions, volumes and virtual hard disks.[1]
Adversaries may abuse Diskpart to perform discovery and destructive actions on a system’s storage. For example, adversaries have been observed using Diskpart to conduct Discovery techniques to enumerate disks and volumes to gather information about the host environment, and to execute commands such as `clean all` to remove partition information and overwrite data across disks, resulting in data destruction.[2]
Analyst context for executives and security teams
Diskpart is a legitimate Windows administration utility for managing disks, partitions, volumes, and virtual hard disks. Its security significance is that the same trusted utility can support both host discovery and destructive storage actions. For leaders, this matters because abuse of Diskpart can move an incident from investigation to business interruption quickly if disk structures or data are wiped.
Executive priority
Prioritize Diskpart visibility on Windows systems that support critical business services. The key decision is whether the organization can distinguish normal administrator storage maintenance from suspicious command-line use that enumerates disks or invokes destructive actions such as disk cleaning. This behavior is relevant to resilience planning, incident response readiness, audit evidence for endpoint monitoring, and recovery assumptions for high-value Windows assets.
Technical view
SOC and IR teams should validate monitoring for Diskpart execution on Windows, especially when launched through Windows Command Shell and when command lines or scripts reference disk, volume, partition enumeration, or destructive storage operations. Relationship context ties this tool to Windows Command Shell execution, discovery behaviors, permissions-related activity, and Disk Structure Wipe impact. Because ATT&CK provides no official detection text for this object, local baselining is essential: identify expected administrator use, maintenance windows, service accounts, and systems where Diskpart should rarely or never run.
Likely telemetry
- Windows process creation events for diskpart.exe
- Parent-child process relationships, especially cmd.exe launching diskpart.exe
- Command-line arguments, script contents, or interactive command logging where available
- Endpoint detection and response records for storage-management utility execution
- Windows administrative activity records tied to privileged users or service accounts
Detection direction
- Alert on Diskpart execution outside known administrative workflows, especially on servers, domain-connected workstations, or business-critical Windows hosts.
- Correlate diskpart.exe with Windows Command Shell activity, unusual privileged accounts, remote execution context if available, or nearby discovery activity.
- Prioritize high-risk command patterns related to enumerating disks, volumes, and partitions or destructive actions such as cleaning disks, while avoiding publication of operational playbooks in alerts.
- Tune carefully for legitimate storage administration, imaging, deployment, repair, and virtualization workflows to reduce false positives.
- Because no official ATT&CK detection guidance is provided, validate whether endpoint logging captures the actual Diskpart commands, not only the process name.
Mitigation priorities
- Restrict Diskpart use to authorized administrators and documented maintenance procedures on Windows systems.
- Apply least privilege so routine users and unnecessary service accounts cannot perform storage-management actions.
- Maintain recoverable, tested backups and recovery procedures for systems where disk structure wipe would create material outage.
- Review privileged access, change management, and maintenance-window evidence so legitimate Diskpart use is explainable during an incident.
- Use endpoint monitoring and centralized logging to preserve process, parent process, user, and command context for investigations.
Analyst notes and limits
This object is a tool entry, not a technique, and its official ATT&CK tactics field is not specified. The strongest operational context comes from the official description and relationships to Windows Command Shell, discovery, Windows permissions, and Disk Structure Wipe. Diskpart is legitimate administration software, so suspiciousness depends heavily on user, host role, timing, parent process, and command context.
ATT&CK does not provide official detection guidance for this object. The supplied relationship snippets are partial for some related techniques, and the object supports only the Windows platform. Local environment baselines are required before making conclusions about malicious use or coverage.
Diskpart
Diskpart is a Windows command-line utility that is used to manage the computer’s drives, which includes disks, partitions, volumes and virtual hard disks.[1]
Adversaries may abuse Diskpart to perform discovery and destructive actions on a system’s storage. For example, adversaries have been observed using Diskpart to conduct Discovery techniques to enumerate disks and volumes to gather information about the host environment, and to execute commands such as `clean all` to remove partition information and overwrite data across disks, resulting in data destruction.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | Diskpart can be used to display, set, or clear attributes of a disk or volume.CitationMicrosoft_diskpart_Feb2023 |
| Enterprise | T1082 | System Information Discovery | Diskpart can show information about the selected disk, partition, volume, or virtual hard disk (VHD).CitationMicrosoft_diskpart_Feb2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1083 | File and Directory Discovery | If executed with elevated privileges, Diskpart can list all volumes, including virtual disks.CitationHalcyon_CloakRansomware_Dec2024 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a551141bab1a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft_diskpart_Feb2023
Microsoft. (2023, February 3). diskpart. Retrieved March 17, 2025.
Open source URL -
[2]
Trendmicro_RansomHub_Dec2024
Trend Research. (2024, December 20). RansomHub. Retrieved December 23, 2025.
Open source URL -
[3]
mitre-attack S9002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.