From 9151fed3fdcce1606187827d0bae577897a4f958 Mon Sep 17 00:00:00 2001
From: Daniel Stepanic <57736958+dstepanic@users.noreply.github.com>
Date: Thu, 25 Apr 2024 08:39:04 -0500
Subject: [PATCH] Update self-delete-using-alternate-data-streams.yml

---
 ...lf-delete-using-alternate-data-streams.yml | 43 ++++++-------------
 1 file changed, 12 insertions(+), 31 deletions(-)

diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
index 78b77d54..546f1995 100644
--- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
+++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
@@ -17,37 +17,18 @@ rule:
       - c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac:0x1400019C0
       - 388021747b85453adff2680c8a0e13e230f4eeada1a1055e3fb8e09800d4fb79:0x180003A24
   features:
-    - or:
-      - and:
-        - count(api(kernel32.SetFileInformationByHandle)): 2
-        - and:
-          - basic block:
-            - and:
-              - api: kernel32.SetFileInformationByHandle
-              - number: 4 = FileDispositionInfo
-              - number: 1 = BufferSize
+    - and:
+      - count(api(kernel32.SetFileInformationByHandle)): 2
+      - basic block:
         - and:
-          - basic block:
-            - and:
-              - api: kernel32.SetFileInformationByHandle
-              - number: 3 = FileRenameInfo
+          - api: kernel32.SetFileInformationByHandle
+          - optional:
+            - number: 3 = FileRenameInfo
+      - basic block:
         - and:
-          - count(api(kernel32.CreateFile)): 2
-          - number: 0x10000 = DELETE
+          - api: kernel32.SetFileInformationByHandle
+          - number: 4 = FileDispositionInfo
+          - number: 1 = TRUE // fDelete.DeleteFile = TRUE;
       - and:
-        - count(api(kernel32.SetFileInformationByHandle)): 2
-        - and:
-          - instruction:
-            - mnemonic: lea
-            - offset: 0x4 = FileDispositionInfo
-          - and:
-            - mnemonic: lea
-            - offset: 0x1 = BufferSize
-        - and:
-          - count(api(kernel32.CreateFile)): 2
-          - number: 0x10000 = DELETE
-        - and:
-          - instruction:
-            - description: Uses arithmetic to return FILE_INFORMATION_CLASS (FileRenameInfo)
-            - mnemonic: lea
-            - offset: -0x1D
+        - count(api(kernel32.CreateFile)): 2
+        - number: 0x10000 = DELETE