TIARAS - T1561: Disk Wipe

MITRE ATT&CK Technique

Impact T1561

Description

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware) On network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `erase`.(Citation: erase_cmd_cisco)

Supported Platforms

Linux macOS Windows Network Devices

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2020-02-20T22:02:20.372Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may wipe or corrupt raw disk data on specific '
                'systems or in large numbers in a network to interrupt '
                'availability to system and network resources. With direct '
                'write access to a disk, adversaries may attempt to overwrite '
                'portions of disk data. Adversaries may opt to wipe arbitrary '
                'portions of disk data and/or wipe disk structures like the '
                'master boot record (MBR). A complete wipe of all disk sectors '
                'may be attempted.\n'
                '\n'
                'To maximize impact on the target organization in operations '
                'where network-wide availability interruption is the goal, '
                'malware used for wiping disks may have worm-like features to '
                'propagate across a network by leveraging additional '
                'techniques like [Valid '
                'Accounts](https://attack.mitre.org/techniques/T1078), [OS '
                'Credential '
                'Dumping](https://attack.mitre.org/techniques/T1003), and '
                '[SMB/Windows Admin '
                'Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: '
                'Novetta Blockbuster Destructive Malware)\n'
                '\n'
                'On network devices, adversaries may wipe configuration files '
                'and other data from the device using [Network Device '
                'CLI](https://attack.mitre.org/techniques/T1059/008) commands '
                'such as `erase`.(Citation: erase_cmd_cisco)',
 'external_references': [{'external_id': 'T1561',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1561'},
                         {'description': 'Cisco. (2022, August 16). erase - '
                                         'Cisco IOS Configuration Fundamentals '
                                         'Command Reference . Retrieved July '
                                         '13, 2022.',
                          'source_name': 'erase_cmd_cisco',
                          'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/D_through_E.html#wp3557227463'},
                         {'description': 'Novetta Threat Research Group. '
                                         '(2016, February 24). Operation '
                                         'Blockbuster: Destructive Malware '
                                         'Report. Retrieved November 17, 2024.',
                          'source_name': 'Novetta Blockbuster Destructive '
                                         'Malware',
                          'url': 'https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf'},
                         {'description': 'Russinovich, M. & Garnier, T. (2017, '
                                         'May 22). Sysmon v6.20. Retrieved '
                                         'December 13, 2017.',
                          'source_name': 'Microsoft Sysmon v6 May 2017',
                          'url': 'https://docs.microsoft.com/sysinternals/downloads/sysmon'}],
 'id': 'attack-pattern--1988cc35-ced8-4dad-b2d1-7628488fa967',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'impact'}],
 'modified': '2025-10-24T17:48:27.697Z',
 'name': 'Disk Wipe',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Austin Clark, @c2defense'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_impact_type': ['Availability'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows', 'Network Devices'],
 'x_mitre_version': '1.2'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (2)

APT28
High

APT37
High

Back to TTPs

Dashboard About