From a7a23d64cce0218cf1f486e0e85fedbfcb9e104e Mon Sep 17 00:00:00 2001
From: Daniel Stepanic <57736958+dstepanic@users.noreply.github.com>
Date: Tue, 23 Apr 2024 08:16:50 -0500
Subject: [PATCH] Create self-delete-using-alternate-data-streams.yml

---
 ...lf-delete-using-alternate-data-streams.yml | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml

diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
new file mode 100644
index 00000000..1cfcfa35
--- /dev/null
+++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
@@ -0,0 +1,52 @@
+rule:
+  meta:
+    name: self delete using alternate data streams
+    namespace: anti-analysis/anti-forensic/self-deletion
+    authors:
+      - daniel.stepanic@elastic.co
+    scopes:
+      static: function
+      dynamic: thread
+    att&ck:
+      - Defense Evasion::Indicator Removal::File Deletion [T1070.004]
+    mbc:
+      - Defense Evasion::Self Deletion [F0007]
+    references:
+      - https://github.com/LloydLabs/delete-self-poc
+    examples:
+      - c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac:0x1400019C0
+      - 388021747b85453adff2680c8a0e13e230f4eeada1a1055e3fb8e09800d4fb79:0x180003A24
+  features:
+    - or:
+      - and:
+        - count(api(kernel32.SetFileInformationByHandle)): 2
+        - and:
+          - basic block:
+            - and:
+              - api: kernel32.SetFileInformationByHandle
+              - number: 4 = FileDispositionInfo
+              - number: 1 = BufferSize
+        - and:
+          - basic block:
+            - and:
+              - api: kernel32.SetFileInformationByHandle
+              - number: 3 = FileRenameInfo
+        - and:
+          - count(api(kernel32.CreateFile)): 2
+          - number: 0x10000 = DELETE
+      - and:
+        - count(api(kernel32.SetFileInformationByHandle)): 2
+        - and:
+          - instruction:
+            - mnemonic: lea
+            - offset: 0x4 = FileDispositionInfo
+          - and:
+            - mnemonic: lea
+            - offset: 0x1 = BufferSize
+        - and:
+          - count(api(kernel32.CreateFile)): 2
+          - number: 0x10000 = DELETE
+        - and:
+          - instruction:
+            - mnemonic: lea
+            - offset: -0x1D