磁盘结构擦除

攻击者可能会损坏或擦除引导系统所需的硬盘驱动器上的磁盘数据结构；针对特定的关键系统以及网络中的大量系统，以中断对系统和网络资源的可用性。

攻击者可能试图通过覆盖位于主引导记录（MBR）或分区表等结构中的关键数据来使系统无法引导。磁盘结构中包含的数据可以包括用于加载操作系统或磁盘上文件系统分区位置的初始可执行代码。如果不存在此信息，则计算机将无法在引导过程中加载操作系统，从而使计算机不可用。磁盘结构擦除可以单独执行，也可以与磁盘内容擦除一起执行（如果磁盘的所有扇区都已擦除）。

为了最大限度地提高对目标组织的影响，旨在破坏磁盘结构的恶意软件可能具有蠕虫般的功能，可以通过利用其他技术（例如有效帐户，凭据转储和Windows管理员共享）在网络中传播。

Disk Structure Wipe

Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources.

Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.[1][2][3][4][5] The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.

To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, Credential Dumping, and Windows Admin Shares.

标签

ID编号： T1487

策略： 影响

平台： Windows，macOS，Linux

所需权限： administrator，root，SYSTEM

数据源： 内核驱动程序，MBR

影响类型： 可用性

缓解措施

减轻	描述
数据备份	考虑实施IT灾难恢复计划，其中包含用于进行可用于还原组织数据的常规数据备份的过程。确保备份存储在系统之外，并且免受攻击者可能用来获取访问权限并破坏备份以防止恢复的常见方法的攻击。

Mitigation	Description
Data Backup	Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

检测

寻找尝试读取/写入敏感位置（如主引导记录和磁盘分区表）的尝试。监视异常的内核驱动程序安装活动。

Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for unusual kernel driver installation activity.