Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.

Detects renaming of file while deletion with SDelete tool.