From 40b378a6e3efcd5d633564f1080f403f1f01b831 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 27 Sep 2020 11:52:51 -0500
Subject: [PATCH] updated T1485

---
 Tactics/Impact.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Tactics/Impact.md b/Tactics/Impact.md
index 76c1f6e..bf8369e 100644
--- a/Tactics/Impact.md
+++ b/Tactics/Impact.md
@@ -15,7 +15,7 @@ Atomics: [T1485](https://github.com/redcanaryco/atomic-red-team/blob/master/atom
 Detection of SDelete (by display name) and execution of DD command on *nix operating systems.
 
 ```
-(AgentOS In ("linux","osx") AND TgtProcName = "dd") OR TgtProcDisplayName = "Secure file delete"
+(AgentOS In ("linux","osx") AND TgtProcName = "dd" AND TgtProcCmdLine ContainsCIS "of=") OR TgtProcDisplayName = "Secure file delete"
 ```
 
 ### T1490 Inhibit System Recovery