T1485 -- unbounded dd overwrite fills disk

redcanaryco / invoke-atomicredteam

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.

MIT License

815 stars 193 forks source link

T1485 -- unbounded dd overwrite fills disk #82

Closed glallen-cb closed 2 years ago

glallen-cb commented 2 years ago

atomics/T1485/T1485.yaml

dd of=#{file_to_overwrite} if=#{overwrite_source}

has neither timeout nor size limit, and will fill the disk (T1499) vs just wiping the file

glallen-cb commented 2 years ago

doh wrong repo