MITRE ATT&CK Technique
Description
Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources. Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) if all sectors of a disk are wiped. To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-03-19T19:38:27.097Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may corrupt or wipe the disk data structures on '
'hard drive necessary to boot systems; targeting specific '
'critical systems as well as a large number of systems in a '
'network to interrupt availability to system and network '
'resources. \n'
'\n'
'Adversaries may attempt to render the system unable to boot '
'by overwriting critical data located in structures such as '
'the master boot record (MBR) or partition table.(Citation: '
'Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov '
'2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: '
'Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) '
'The data contained in disk structures may include the initial '
'executable code for loading an operating system or the '
'location of the file system partitions on disk. If this '
'information is not present, the computer will not be able to '
'load an operating system during the boot process, leaving the '
'computer unavailable. [Disk Structure '
'Wipe](https://attack.mitre.org/techniques/T1487) may be '
'performed in isolation, or along with [Disk Content '
'Wipe](https://attack.mitre.org/techniques/T1488) if all '
'sectors of a disk are wiped.\n'
'\n'
'To maximize impact on the target organization, malware '
'designed for destroying disk structures may have worm-like '
'features to propagate across a network by leveraging other '
'techniques like [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078), [OS '
'Credential '
'Dumping](https://attack.mitre.org/techniques/T1003), and '
'[Windows Admin '
'Shares](https://attack.mitre.org/techniques/T1077).(Citation: '
'Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov '
'2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: '
'Kaspersky StoneDrill 2017)',
'external_references': [{'external_id': 'T1487',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1487'},
{'description': 'Symantec. (2012, August 16). The '
'Shamoon Attacks. Retrieved March 14, '
'2019.',
'source_name': 'Symantec Shamoon 2012',
'url': 'https://www.symantec.com/connect/blogs/shamoon-attacks'},
{'description': 'FireEye. (2016, November 30). '
'FireEye Responds to Wave of '
'Destructive Cyber Attacks in Gulf '
'Region. Retrieved January 11, 2017.',
'source_name': 'FireEye Shamoon Nov 2016',
'url': 'https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html'},
{'description': 'Falcone, R.. (2016, November 30). '
'Shamoon 2: Return of the Disttrack '
'Wiper. Retrieved January 11, 2017.',
'source_name': 'Palo Alto Shamoon Nov 2016',
'url': 'http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/'},
{'description': 'Kaspersky Lab. (2017, March 7). From '
'Shamoon to StoneDrill: Wipers '
'attacking Saudi organizations and '
'beyond. Retrieved March 14, 2019.',
'source_name': 'Kaspersky StoneDrill 2017',
'url': 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf'},
{'description': 'Falcone, R. (2018, December 13). '
'Shamoon 3 Targets Oil and Gas '
'Organization. Retrieved March 14, '
'2019.',
'source_name': 'Unit 42 Shamoon3 2018',
'url': 'https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/'}],
'id': 'attack-pattern--2e114e45-2c50-404c-804a-3af9564d240e',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'impact'}],
'modified': '2025-10-24T17:48:35.428Z',
'name': 'Disk Structure Wipe',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_impact_type': ['Availability'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'macOS', 'Linux'],
'x_mitre_version': '1.1'}