Update self-delete-using-alternate-data-streams.yml

anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml

@@ -17,37 +17,18 @@ rule:
       - c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac:0x1400019C0
       - 388021747b85453adff2680c8a0e13e230f4eeada1a1055e3fb8e09800d4fb79:0x180003A24
   features:
-    - or:
-      - and:
-        - count(api(kernel32.SetFileInformationByHandle)): 2
-        - and:
-          - basic block:
-            - and:
-              - api: kernel32.SetFileInformationByHandle
-              - number: 4 = FileDispositionInfo
-              - number: 1 = BufferSize
+    - and:
+      - count(api(kernel32.SetFileInformationByHandle)): 2
+      - basic block:
         - and:
-          - basic block:
-            - and:
-              - api: kernel32.SetFileInformationByHandle
-              - number: 3 = FileRenameInfo
+          - api: kernel32.SetFileInformationByHandle
+          - optional:
+            - number: 3 = FileRenameInfo
+      - basic block:
         - and:
-          - count(api(kernel32.CreateFile)): 2
-          - number: 0x10000 = DELETE
+          - api: kernel32.SetFileInformationByHandle
+          - number: 4 = FileDispositionInfo
+          - number: 1 = TRUE // fDelete.DeleteFile = TRUE;
       - and:
-        - count(api(kernel32.SetFileInformationByHandle)): 2
-        - and:
-          - instruction:
-            - mnemonic: lea
-            - offset: 0x4 = FileDispositionInfo
-          - and:
-            - mnemonic: lea
-            - offset: 0x1 = BufferSize
-        - and:
-          - count(api(kernel32.CreateFile)): 2
-          - number: 0x10000 = DELETE
-        - and:
-          - instruction:
-            - description: Uses arithmetic to return FILE_INFORMATION_CLASS (FileRenameInfo)
-            - mnemonic: lea
-            - offset: -0x1D
+        - count(api(kernel32.CreateFile)): 2
+        - number: 0x10000 = DELETE