mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
keyboardcrunch
16 lines
569 B
YAML
16 lines
569 B
YAML
title: DD Data Destruction
|
|
description: Detect data destruction with the DD command. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Impact
|
|
technique: T1485
|
|
subtechnique:
|
|
operating_system: linux
|
|
query: AgentOS In ("linux","osx") AND TgtProcName = "dd" AND TgtProcCmdLine ContainsCIS "of="
|
|
false_positives:
|
|
- Disk image captures
|
|
tags:
|
|
references:
|