磁盘内容擦除

攻击者可能会擦除特定系统以及网络中大量系统上存储设备的内容，从而中断系统和网络资源的可用性。

攻击者可能会部分或完全覆盖存储设备的内容，从而使数据无法通过存储接口恢复。具有破坏性意图的对手可能会擦除磁盘内容的任意部分，而不是擦除特定的磁盘结构或文件。为了擦除磁盘内容，攻击者可以直接访问硬盘驱动器，以便用随机数据覆盖磁盘大小任意的部分。已经观察到对手利用RawDrive等第三方驱动程序直接访问磁盘内容。[1] [2]此行为与数据销毁不同，因为磁盘的某些部分而不是单个文件被擦除了。

为了在以网络范围的可用性中断为目标的运营中最大限度地提高对目标组织的影响，用于擦除磁盘内容的恶意软件可能具有蠕虫般的功能，可以利用有效帐户，凭据转储和Windows Admin等其他技术在网络上传播。股份。

Disk Content Wipe

Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface. Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data. Adversaries have been observed leveraging third-party drivers like RawDisk to directly access disk content. This behavior is distinct from Data Destruction because sections of the disk erased instead of individual files.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, Credential Dumping, and Windows Admin Shares

标签

编号： T1488

策略： 影响

平台： Linux，macOS，Windows

所需权限：user，administrator，root，SYSTEM

数据源： 内核驱动程序，进程监视，进程命令行参数

影响类型： 可用性

缓解措施

减轻	描述
数据备份	考虑实施IT灾难恢复计划，其中包含用于进行可用于还原组织数据的常规数据备份的过程。确保备份存储在系统之外，并且免受攻击者可能用来获取访问权限并破坏备份以防止恢复的常见方法的攻击。

Mitigation	Description
Data Backup	Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

检测

寻找尝试读取/写入敏感位置（例如分区引导扇区或BIOS参数块/超级块）的尝试。监视异常的内核驱动程序安装活动。

Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for unusual kernel driver installation activity.