splApache-2.0from splunk/security_content
Linux Auditd Dd File Overwrite
The following analytic detects the use of the 'dd' command to overwrite files on a Linux system. It leverages data from Linux Auditd telemetry, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the 'dd' command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions.
Quality
43
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_dd_file_overwrite.yml
`linux_auditd` proctitle = "*dd *" AND proctitle = "*of=*" AND proctitle = "*if=/dev/zero*"
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_dd_file_overwrite_filter`