From 9340e2a284db381a6bdc415ee09bd80a5fd09e79 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 27 Sep 2020 11:47:04 -0500
Subject: [PATCH] T1485 Data Destruction

---
 Tactics/Impact.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Tactics/Impact.md b/Tactics/Impact.md
index 323662c..76c1f6e 100644
--- a/Tactics/Impact.md
+++ b/Tactics/Impact.md
@@ -12,6 +12,11 @@ SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR TgtPr
 ### T1485 Data Destruction
 Atomics: [T1485](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md)
 
+Detection of SDelete (by display name) and execution of DD command on *nix operating systems.
+
+```
+(AgentOS In ("linux","osx") AND TgtProcName = "dd") OR TgtProcDisplayName = "Secure file delete"
+```
 
 ### T1490 Inhibit System Recovery
 Atomics: [T1490](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md)