Overwriting the File with Dev Zero or Null

 1title: Overwriting the File with Dev Zero or Null
 2id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
 3status: stable
 4description: Detects overwriting (effectively wiping/deleting) of a file.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
 7author: Jakob Weinzettl, oscd.community
 8date: 2019-10-23
 9tags:
10    - attack.impact
11    - attack.t1485
12logsource:
13    product: linux
14    service: auditd
15detection:
16    selection:
17        type: 'EXECVE'
18        a0|contains: 'dd'
19        a1|contains:
20            - 'if=/dev/null'
21            - 'if=/dev/zero'
22    condition: selection
23falsepositives:
24    - Appending null bytes to files.
25    - Legitimate overwrite of files.
26level: low

References

• atomic-red-team/atomics/T1485/T1485.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• AWS EFS Fileshare Mount Modified or Deleted
• AWS EKS Cluster Created or Deleted
• Azure Device or Configuration Modified or Deleted
• DD File Overwrite
• Deleted Data Overwritten Via Cipher.EXE