Process Deletion of Its Own Executable

Sep 3, 2024 · attack.defense-evasion ·

Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.

Sigma rule (View on GitHub)

 1title: Process Deletion of Its Own Executable
 2id: f01d1f70-cd41-42ec-9c0b-26dd9c22bf29
 3status: experimental
 4description: |
 5        Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
 6references:
 7    - https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion
 8author: Max Altgelt (Nextron Systems)
 9date: 2024-09-03
10tags:
11    - attack.defense-evasion
12logsource:
13    product: windows
14    category: file_delete
15detection:
16    selection:
17        TargetFilename|fieldref: Image
18    condition: selection
19falsepositives:
20    - Some false positives are to be expected from uninstallers.
21level: medium

References

RustRedOps/Self_Deletion at ce04369a246006d399e8c61d9fe0e6b34f988a49 · joaoviictorti/RustRedOps

🦀 | RustRedOps is a repository for advanced Red Team techniques and offensive malware, focused on Rust - joaoviictorti/RustRedOps

Read More

Process Deletion of Its Own Executable

Sigma rule (View on GitHub)

References

RustRedOps/Self_Deletion at ce04369a246006d399e8c61d9fe0e6b34f988a49 · joaoviictorti/RustRedOps

Related rules