diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml index 78b77d54..546f1995 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml @@ -17,37 +17,18 @@ rule: - c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac:0x1400019C0 - 388021747b85453adff2680c8a0e13e230f4eeada1a1055e3fb8e09800d4fb79:0x180003A24 features: - - or: - - and: - - count(api(kernel32.SetFileInformationByHandle)): 2 - - and: - - basic block: - - and: - - api: kernel32.SetFileInformationByHandle - - number: 4 = FileDispositionInfo - - number: 1 = BufferSize + - and: + - count(api(kernel32.SetFileInformationByHandle)): 2 + - basic block: - and: - - basic block: - - and: - - api: kernel32.SetFileInformationByHandle - - number: 3 = FileRenameInfo + - api: kernel32.SetFileInformationByHandle + - optional: + - number: 3 = FileRenameInfo + - basic block: - and: - - count(api(kernel32.CreateFile)): 2 - - number: 0x10000 = DELETE + - api: kernel32.SetFileInformationByHandle + - number: 4 = FileDispositionInfo + - number: 1 = TRUE // fDelete.DeleteFile = TRUE; - and: - - count(api(kernel32.SetFileInformationByHandle)): 2 - - and: - - instruction: - - mnemonic: lea - - offset: 0x4 = FileDispositionInfo - - and: - - mnemonic: lea - - offset: 0x1 = BufferSize - - and: - - count(api(kernel32.CreateFile)): 2 - - number: 0x10000 = DELETE - - and: - - instruction: - - description: Uses arithmetic to return FILE_INFORMATION_CLASS (FileRenameInfo) - - mnemonic: lea - - offset: -0x1D + - count(api(kernel32.CreateFile)): 2 + - number: 0x10000 = DELETE