Data Corruption via Overwriting
Data Corruption via Overwriting is a destructive subtechnique under the Data Destruction technique within the Impact tactic, where adversaries deliberately modify data to render it unusable or unreliable without completely removing it. Unlike complete deletion methods, this approach involves systematically overwriting critical bytes, file headers, metadata, or content within files or databases while leaving the corrupted structure in place.
Attackers may use this method to achieve operational disruption when full deletion would be detected or prevented by security controls, or when they want to maximize confusion by leaving systems appearing functional while actually compromised. The corruption can be targeted to specific data segments (such as database indexes, configuration files, or application data) or may be executed across entire storage volumes.
This approach is particularly insidious as corrupted data may not trigger immediate alerts that complete destruction would, potentially delaying detection while causing significant business impact. Recovery from overwriting attacks is often more challenging than from deletion since backups may need to be validated more thoroughly to ensure uncorrupted versions are restored.
Data Sources
- File: File Modification
- Application Log: Application Log Content
- Database: Database Transaction Logs
- Process: Process Creation
- Network Traffic: Network Connection Creation
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0022 | File: File Modification | Alert on high-volume writes targeting a mix of config files and data files within short time window, especially when followed by mtime/fsize anomalies not matched by corresponding process opens. |
| DS0015 | Application Log | Detect spike in checksum or CRC mismatch errors, database integrity violations, or filesystem error logs. |
| DS0009 | Process Metadata | Flag untrusted binaries executing with dd, truncate, or direct disk access syscalls against protected mount points. |
| DS0029 | Network Traffic Content | Identify remote sessions issuing mass UPDATE/DELETE without WHERE clause or binary protocols overwriting blob fields. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1053 | Data Backup | Maintain immutable, versioned backups with offline/air-gapped retention and frequent integrity tests (hash compare). |
| M1022 | Restrict File & Directory Permissions | Enforce mandatory access controls (SELinux/AppArmor) preventing low-privilege processes from raw-disk or critical DB file writes. |
| M1041 | Encrypt Sensitive Information | Employ authenticated encryption (AEAD) or database TDE with checksum validation to detect silent overwrites. |
| M1030 | Network Segmentation | Segregate management/database networks; require jump host + MFA for any write-capable protocols. |