diff --git a/impact/wipe-disk/delete-drive-layout-via-ioctl.yml b/impact/wipe-disk/delete-drive-layout-via-ioctl.yml
new file mode 100644
index 00000000..448154f3
--- /dev/null
+++ b/impact/wipe-disk/delete-drive-layout-via-ioctl.yml
@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: delete drive layout via IOCTL
+    namespace: impact/wipe-disk
+    authors:
+      - william.ballenthin@mandiant.com
+    scopes:
+      static: basic block
+      dynamic: thread
+    att&ck:
+      - Impact::Disk Wipe::Disk Structure Wipe [T1561.002]
+    mbc:
+      - Impact::Disk Wipe [F0014]
+    references:
+      - https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/
+      - http://www.ioctls.net/
+      - https://tyleo.github.io/sharedlib/doc/winapi/winioctl/constant.IOCTL_DISK_DELETE_DRIVE_LAYOUT.html
+    examples:
+      - 36cc72c55f572fe02836f25516d18fed1de768e7f29af7bdf469b52a3fe2531f:0x401090
+  features:
+    - and:
+      - or:
+        - api: DeviceIoControl
+        - characteristic: indirect call
+      - number: 0x7c100 = IOCTL_DISK_DELETE_DRIVE_LAYOUT