Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1561: Disk Wipe

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[1]

On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as `erase`.[2]

EnterpriseT1561TechniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Disk Wipe is a destructive impact behavior where an adversary corrupts or overwrites disk data, boot structures, or network device configuration/data to interrupt availability. For leaders, the material issue is not data theft evidence but operational recovery: whether critical systems, network devices, and backups can survive a destructive event and be restored fast enough to meet business continuity needs.

Executive priority

Prioritize this technique as an availability and resilience risk across Windows, Linux, macOS, and network devices. Executives should ask whether critical servers, endpoints, and network infrastructure have recoverable, isolated backups; whether incident responders can distinguish destructive activity from normal administrative maintenance quickly; and whether identity, credential, and remote administration controls reduce the chance of network-wide propagation using valid accounts, credential dumping, or SMB/Windows admin shares as described in the ATT&CK context.

Technical view

ATT&CK provides no official detection text for T1561, but the related detection strategy DET0137 points defenders toward direct disk access and destructive commands. SOC and IR teams should validate visibility into raw disk writes, MBR or partition-table modification attempts, suspicious mass file or disk overwrite behavior, and network device CLI commands such as erase. Because the parent technique includes sub-techniques for Disk Content Wipe and Disk Structure Wipe, detection engineering should test both full/partial storage overwrite behaviors and boot-structure corruption indicators. Relationship context also suggests correlating destructive activity with valid account use, credential dumping, and SMB/Windows admin share activity when network-wide interruption is suspected.

Likely telemetry

  • Endpoint process execution and command-line telemetry on Windows, Linux, and macOS
  • Windows Sysmon or equivalent endpoint telemetry where deployed
  • Raw disk access, direct write, boot sector, partition table, or MBR modification events where available
  • File deletion, overwrite, or abnormal high-volume write activity on critical systems
  • Network device administrative CLI logs, especially destructive commands such as erase

Detection direction

  • Validate DET0137-style coverage for direct disk access and destructive commands rather than relying only on malware signatures.
  • Tune alerts to distinguish legitimate disk imaging, formatting, patching, device replacement, and administrator maintenance from unexpected destructive writes or erase commands.
  • Correlate disk wipe indicators with preceding credential misuse, OS credential dumping, and lateral movement over SMB/Windows admin shares when available.
  • Include network devices in detection scope; endpoint-only monitoring can miss configuration or data wiping performed through device CLI.
  • Use sub-technique framing to test both disk content wipe and disk structure wipe scenarios against current telemetry and alerting.

Mitigation priorities

  • Implement and regularly test Data Backup (M1053) for end-user systems, critical servers, and other systems needed for recovery.
  • Harden backup systems, keep backup storage isolated from the corporate network where feasible, and monitor access to backup infrastructure during incidents.
  • Prioritize recovery planning for systems whose loss would interrupt operations, including network devices as well as endpoints and servers.
  • Restrict and monitor privileged administrative access that could enable direct disk writes, destructive commands, or network-wide propagation.
  • Review controls around valid accounts, credential dumping exposure, and SMB/Windows admin shares because the ATT&CK description links these techniques to large-scale wiping operations.
Analyst notes and limits

This object is an ATT&CK enterprise impact technique, not an intrusion campaign or actor claim. The most decision-relevant point is whether the organization can detect destructive disk or device activity early enough and recover from it when prevention fails. Coverage should be proven with telemetry review, restore testing, and incident-response exercises rather than assumed from endpoint tooling alone.

The supplied ATT&CK object does not provide official detection guidance and does not state active exploitation, attribution, or organization-specific exposure. Telemetry and control recommendations are derived from the official description, external references, and relationships, and must be validated against the local platform mix and logging architecture.

Official MITRE ATT&CK definition

Disk Wipe

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[1]

On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as `erase`.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1561.002 Disk Structure Wipe Sub-technique Disk Structure Wipe subtechnique of this object.
Enterprise T1561.001 Disk Content Wipe Sub-technique Disk Content Wipe subtechnique of this object.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1561.002: Disk Structure Wipe Enterprise detects · Detection Strategy DET0137: Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands Enterprise subtechnique of · Technique T1561.001: Disk Content Wipe Enterprise mitigates · Mitigation M1053: Data Backup Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1053: Data Backup

Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents. This mitigation can be implemented through the following measures:

Regular Backup Scheduling: - Use Case: Ensure timely and consistent backups of critical data. - Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.

Immutable Backups: - Use Case: Protect backups from modification or deletion, even by attackers. - Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.

Backup Encryption: - Use Case: Protect data integrity and confidentiality during transit and storage. - Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.

Offsite Backup Storage: - Use Case: Ensure data availability during physical disasters or onsite breaches. - Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.

Backup Testing: - Use Case: Validate backup integrity and ensure recoverability. - Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
60d7afece64c1217...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 60d7afece64c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Novetta Blockbuster Destructive Malware

    Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    erase_cmd_cisco

    Cisco. (2022, August 16). erase - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.

    Open source URL
  3. [3]
    Microsoft Sysmon v6 May 2017

    Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.

    Open source URL
  4. [4]
    mitre-attack T1561
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use