valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8a0262d1a2
SigmaHQ/rules/linux/lnx_dd_delete_file.yml

26 lines
706 B
YAML
Raw Normal View History

Rule fixes Made tests pass the new CI tests. Added further allowed lower case words in rule test.
2020-02-20 22:00:16 +00:00
title: Overwriting the File with Dev Zero or Null
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
2019-12-19 22:56:36 +00:00
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
Rule fixes Made tests pass the new CI tests. Added further allowed lower case words in rule test.
2020-02-20 22:00:16 +00:00
date: 2019/10/23
DD overwrite with zero/null (T1485)
2019-10-23 18:22:33 +00:00
description: Detects overwriting (effectively wiping/deleting) the file
author: Jakob Weinzettl, oscd.community
tags:
- attack.impact
- attack.t1485
logsource:
product: linux
Adding auditd compatibility
2019-11-29 08:32:05 +00:00
service: auditd
DD overwrite with zero/null (T1485)
2019-10-23 18:22:33 +00:00
detection:
Adding auditd compatibility
2019-11-29 08:32:05 +00:00
selection:
type: 'EXECVE'
Update lnx_dd_delete_file.yml
2019-12-02 01:54:48 +00:00
a0|contains: 'dd'
a1|contains:
Adding auditd compatibility
2019-11-29 08:32:05 +00:00
- 'if=/dev/null'
- 'if=/dev/zero'
condition: selection
DD overwrite with zero/null (T1485)
2019-10-23 18:22:33 +00:00
falsepositives:
OSCD QA wave 3
2020-01-19 21:34:16 +00:00
- Appending null bytes to files
- Legitimate overwrite of files
DD overwrite with zero/null (T1485)
2019-10-23 18:22:33 +00:00
level: low
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml
Reference in New Issue Copy Permalink