add delete drive layout via ioctl (#878)

mandiant · Feb 5, 2024 · f50b80d · f50b80d
1 parent 48dfd00
commit f50b80d
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/impact/wipe-disk/delete-drive-layout-via-ioctl.yml b/impact/wipe-disk/delete-drive-layout-via-ioctl.yml
@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: delete drive layout via IOCTL
+    namespace: impact/wipe-disk
+    authors:
+      - [email protected]
+    scopes:
+      static: basic block
+      dynamic: thread
+    att&ck:
+      - Impact::Disk Wipe::Disk Structure Wipe [T1561.002]
+    mbc:
+      - Impact::Disk Wipe [F0014]
+    references:
+      - https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/
+      - http://www.ioctls.net/
+      - https://tyleo.github.io/sharedlib/doc/winapi/winioctl/constant.IOCTL_DISK_DELETE_DRIVE_LAYOUT.html
+    examples:
+      - 36cc72c55f572fe02836f25516d18fed1de768e7f29af7bdf469b52a3fe2531f:0x401090
+  features:
+    - and:
+      - or:
+        - api: DeviceIoControl
+        - characteristic: indirect call
+      - number: 0x7c100 = IOCTL_DISK_DELETE_DRIVE_LAYOUT