legitimate overwrite of files.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_dd_delete_file.yml>sigma
technicques: t1485

Techniques

Detects overwriting (effectively wiping/deleting) of a file.

condition: selection
selection:
  a0|contains: dd
  a1|contains:
  - if=/dev/null
  - if=/dev/zero
  type: EXECVE