Adversaries may overwrite or delete critical system files using DD to evade detection and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential tampering of system integrity and early-stage malware activity.
Detection Rule
title: DD File Overwrite
id: 2953194b-e33c-4859-b9e8-05948c167447
status: test
description: Detects potential overwriting and deletion of a file using DD.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-07-07
tags:
- attack.impact
- attack.t1485
logsource:
product: linux
category: process_creation
detection:
selection1:
Image:
- '/bin/dd'
- '/usr/bin/dd'
selection2:
CommandLine|contains: 'of='
selection3:
CommandLine|contains:
- 'if=/dev/zero'
- 'if=/dev/null'
condition: all of selection*
falsepositives:
- Any user deleting files that way.
level: low
imProcessCreate
| where (TargetProcessName in~ ("/bin/dd", "/usr/bin/dd")) and TargetProcessCommandLine contains "of=" and (TargetProcessCommandLine contains "if=/dev/zero" or TargetProcessCommandLine contains "if=/dev/null")Scenario: System backup tool (e.g., Veeam, Acronis) performing a scheduled full system backup that overwrites or deletes temporary files during the process.
Filter/Exclusion: Check for process names like veeam.exe, acronis.exe, or backup.exe in the process tree, or filter by the presence of backup job names in the command line.
Scenario: Windows Update or Patch Management task (e.g., Windows Server Update Services, SCCM) that temporarily deletes or overwrites files during an update or patch installation.
Filter/Exclusion: Filter by process names such as wusa.exe, setup.exe, or sccm.exe, or check for the presence of update-related command-line arguments.
Scenario: Disk imaging or cloning tool (e.g., Clonezilla, Macrium Reflect) performing a disk image creation or restoration that overwrites files on the target disk.
Filter/Exclusion: Identify processes like clonezilla-live, macriumreflect.exe, or dd.exe (if used), and filter based on the presence of imaging or cloning in the command line.
Scenario: System maintenance task (e.g., DISM, System File Checker) that temporarily deletes or overwrites system files during a repair or cleanup operation.
Filter/Exclusion: Filter by process names like dism.exe, sfc.exe, or systemfilechecker.exe, or check for the presence of related command-line switches like /scannow or /rebuild.
Scenario: Log file rotation or cleanup task (e.g., Logrotate on Linux, Event Viewer cleanup on Windows) that deletes or overwrites log files as part of routine maintenance.
Filter/Exclusion: Filter by process names like logrotate, eventvwr.exe, or logclean.exe, or check for the presence