Diskpart Volume Clean All Execution

Rule Info

Name
Diskpart Volume Clean All Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of diskpart's "clean all" command, which permanently destroys all data on a disk volume by overwriting every sector with zeros. Threat actors abuse this for data destruction and wiper attacks.
Reference
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clean
Date
2026-05-04 00:00:00
Modified
None
Id
3f8e1a72-c4d9-4b05-a8e3-91f2d7b60c34
Tags
attack.impact attack.t1561.002 attack.t1485
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022