heroui logo

Overwriting the File with Dev Zero or Null

Sigma Rules

View Source
Summary
This detection rule identifies instances where files are being overwritten using specific commands that involve `/dev/null` or `/dev/zero` on Linux systems. The use of the `EXECVE` system call with parameters indicating operations to overwrite files serves as a basis for detecting potentially malicious activity aimed at file deletion or data destruction. The rule focuses on identifying the use of the `dd` command with flags specifying the source as `/dev/null` or `/dev/zero`. Given that these devices produce no data, their usage in file manipulation commands is typically associated with attempts to erase or nullify the contents of files. This detection is critical as overwriting files can lead to significant data loss, especially in environments where compliance and data integrity are paramount. The detection logic consists of triggering alerts when the `dd` command is executed with the aforementioned conditions, providing security teams the opportunity to investigate further actions on files that should not have been altered or deleted.
Categories
  • Linux
  • Endpoint
Data Sources
  • Process
  • File
ATT&CK Techniques
  • T1485
Created: 2019-10-23