DD File Overwrite
Detects potential overwriting and deletion of a file using DD.
Sigma rule (View on GitHub)
1title: DD File Overwrite
2id: 2953194b-e33c-4859-b9e8-05948c167447
3status: test
4description: Detects potential overwriting and deletion of a file using DD.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
8date: 2021-10-15
9modified: 2022-07-07
10tags:
11 - attack.impact
12 - attack.t1485
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection1:
18 Image:
19 - '/bin/dd'
20 - '/usr/bin/dd'
21 selection2:
22 CommandLine|contains: 'of='
23 selection3:
24 CommandLine|contains:
25 - 'if=/dev/zero'
26 - 'if=/dev/null'
27 condition: all of selection*
28falsepositives:
29 - Any user deleting files that way.
30level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- AWS EFS Fileshare Mount Modified or Deleted
- AWS EKS Cluster Created or Deleted
- Azure Device or Configuration Modified or Deleted
- Deleted Data Overwritten Via Cipher.EXE
- Fsutil Suspicious Invocation