Create self-delete-using-alternate-data-streams.yml

anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml

@@ -0,0 +1,52 @@
+rule:
+  meta:
+    name: self delete using alternate data streams
+    namespace: anti-analysis/anti-forensic/self-deletion
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: thread
+    att&ck:
+      - Defense Evasion::Indicator Removal::File Deletion [T1070.004]
+    mbc:
+      - Defense Evasion::Self Deletion [F0007]
+    references:
+      - https://github.com/LloydLabs/delete-self-poc
+    examples:
+      - c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac:0x1400019C0
+      - 388021747b85453adff2680c8a0e13e230f4eeada1a1055e3fb8e09800d4fb79:0x180003A24
+  features:
+    - or:
+      - and:
+        - count(api(kernel32.SetFileInformationByHandle)): 2
+        - and:
+          - basic block:
+            - and:
+              - api: kernel32.SetFileInformationByHandle
+              - number: 4 = FileDispositionInfo
+              - number: 1 = BufferSize
+        - and:
+          - basic block:
+            - and:
+              - api: kernel32.SetFileInformationByHandle
+              - number: 3 = FileRenameInfo
+        - and:
+          - count(api(kernel32.CreateFile)): 2
+          - number: 0x10000 = DELETE
+      - and:
+        - count(api(kernel32.SetFileInformationByHandle)): 2
+        - and:
+          - instruction:
+            - mnemonic: lea
+            - offset: 0x4 = FileDispositionInfo
+          - and:
+            - mnemonic: lea
+            - offset: 0x1 = BufferSize
+        - and:
+          - count(api(kernel32.CreateFile)): 2
+          - number: 0x10000 = DELETE
+        - and:
+          - instruction:
+            - mnemonic: lea
+            - offset: -0x1D