Detectionlowstable

Overwriting the File with Dev Zero or Null

Detects overwriting (effectively wiping/deleting) of a file.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Jakob Weinzettl, oscd.communityCreated Wed Oct 2337222991-11e9-4b6d-8bdf-60fbe48f753elinux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'dd'
        a1|contains:
            - 'if=/dev/null'
            - 'if=/dev/zero'
    condition: selection

False Positives

Appending null bytes to files.

Legitimate overwrite of files.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0040 · Impact

Techniques

T1485 · Data Destruction

Rule Metadata

Rule ID

37222991-11e9-4b6d-8bdf-60fbe48f753e

Status

stable

Level

low

Type

Detection

Created

Wed Oct 23

Author

Jakob Weinzettl, oscd.community

Path

rules/linux/auditd/execve/lnx_auditd_dd_delete_file.yml

Raw Tags

attack.impactattack.t1485

View on GitHub