Skip to main content

RawDisk

This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.

Summary

  • Associated actor(s): Void Manticore / Handala
  • Tool type(s): Disk access driver/tool
  • Confidence level(s): Medium
  • Source ID(s): SRC-MITRE-G1055

Behavior

ActorBehavior Summary
Void Manticore / HandalaMITRE ATT&CK lists RawDisk as software used by this actor; track it as raw disk access for destructive operations.

Hash And IOC Status

ActorStatusReference
Void Manticore / HandalaHash not committed; use the linked MITRE references and original source reports for current IOCs.SRC-MITRE-G1055

Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.

Defensive Hunting Notes

ActorHunting Notes
Void Manticore / HandalaHunt for RawDisk execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain.

Handling Notes

ActorHandling Notes
Void Manticore / HandalaCommon or dual-use tools require local allowlisting and must not be used alone for actor attribution.

Mapped ATT&CK Techniques For Associated Actor(s)

ActorTechniqueTacticMapping QualitySource
Void Manticore / HandalaT1566 PhishingInitial AccessM2SRC-AP-HANDALA
Void Manticore / HandalaT1204 User ExecutionExecutionM2SRC-AP-HANDALA
Void Manticore / HandalaT1485 Data DestructionImpactM2SRC-AP-HANDALA
Void Manticore / HandalaT1490 Inhibit System RecoveryImpactM2SRC-AP-HANDALA
Void Manticore / HandalaT1567 Exfiltration Over Web ServiceExfiltrationM2SRC-AP-HANDALA
Void Manticore / HandalaT1078.004 Valid Accounts: Cloud AccountsInitial AccessM3SRC-PUSH-STRYKER-HANDALA
Void Manticore / HandalaT1485 Data DestructionImpactM2SRC-PUSH-STRYKER-HANDALA

These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.

ActorDetectionRelease StatusDRLRule
Void Manticore / HandalaDET-001 - Intune Bulk Device Wipe AnomalyHunt5detections/kql/intune-bulk-device-wipe-anomaly.kql
Void Manticore / HandalaDET-004 - Mail Click To Execution CorrelationHunt4detections/kql/mail-click-to-exec-correlation.kql

These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.

ActorHuntHypothesisQuery
Void Manticore / HandalaHUNT-001If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logsdetections/kql/intune-bulk-device-wipe-anomaly.kql
Void Manticore / HandalaHUNT-004If VIP phishing is active then mail click events will correlate to risky sign-in or executiondetections/kql/mail-click-to-exec-correlation.kql

Source Review

SourcePublisherDateReliabilityTypeLast Reviewed
SRC-MITRE-G1055MITRE ATT&CK2026-05-12AKnowledge base2026-05-14

If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.