title: DD File Overwrite
id: 2953194b-e33c-4859-b9e8-05948c167447
status: experimental
description: Detects potential overwriting and deletion of a file using DD.
date: 2021/10/15
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
tags:
    - attack.impact
    - attack.t1485
references:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
logsource:
   product: linux
   category: process_creation
detection:
   selection1:
      Image: '/bin/dd'
   selection2:   
      CommandLine|contains: 'of='
   selection3:
      CommandLine|contains:
         - 'if=/dev/zero'
         - 'if=/dev/null'
   condition: selection1 and selection2 and selection3
falsepositives:
   - Any user deleting files that way.
level: low