This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.
SOFTWARE
SOFTWARE
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
RawDisk
RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.[1][2]
ID: S0364
ⓘ
Type: TOOL
ⓘ
Platforms: Windows
Version: 1.0
Created: 25 March 2019
Last Modified: 19 April 2019
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1485 | Data Destruction |
RawDisk was used in Shamoon to write to protected system locations such as the MBR and disk partitions in an effort to destroy data.[3][4] |
|
| Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.[2] |
| .002 | Disk Wipe: Disk Structure Wipe |
RawDisk was used in Shamoon to help overwrite components of disk structure like the MBR and disk partitions.[3][4] |
||
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group |
References
- Edwards, M. (2007, March 14). EldoS Provides Raw Disk Access for Vista and XP. Retrieved March 26, 2019.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
×