From a7a23d64cce0218cf1f486e0e85fedbfcb9e104e Mon Sep 17 00:00:00 2001 From: Daniel Stepanic <57736958+dstepanic@users.noreply.github.com> Date: Tue, 23 Apr 2024 08:16:50 -0500 Subject: [PATCH 1/5] Create self-delete-using-alternate-data-streams.yml --- ...lf-delete-using-alternate-data-streams.yml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml new file mode 100644 index 00000000..1cfcfa35 --- /dev/null +++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml @@ -0,0 +1,52 @@ +rule: + meta: + name: self delete using alternate data streams + namespace: anti-analysis/anti-forensic/self-deletion + authors: + - daniel.stepanic@elastic.co + scopes: + static: function + dynamic: thread + att&ck: + - Defense Evasion::Indicator Removal::File Deletion [T1070.004] + mbc: + - Defense Evasion::Self Deletion [F0007] + references: + - https://github.com/LloydLabs/delete-self-poc + examples: + - c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac:0x1400019C0 + - 388021747b85453adff2680c8a0e13e230f4eeada1a1055e3fb8e09800d4fb79:0x180003A24 + features: + - or: + - and: + - count(api(kernel32.SetFileInformationByHandle)): 2 + - and: + - basic block: + - and: + - api: kernel32.SetFileInformationByHandle + - number: 4 = FileDispositionInfo + - number: 1 = BufferSize + - and: + - basic block: + - and: + - api: kernel32.SetFileInformationByHandle + - number: 3 = FileRenameInfo + - and: + - count(api(kernel32.CreateFile)): 2 + - number: 0x10000 = DELETE + - and: + - count(api(kernel32.SetFileInformationByHandle)): 2 + - and: + - instruction: + - mnemonic: lea + - offset: 0x4 = FileDispositionInfo + - and: + - mnemonic: lea + - offset: 0x1 = BufferSize + - and: + - count(api(kernel32.CreateFile)): 2 + - number: 0x10000 = DELETE + - and: + - instruction: + - mnemonic: lea + - offset: -0x1D From c967c52fe55b99abf88ea8eb478a5f2e78700297 Mon Sep 17 00:00:00 2001 From: Daniel Stepanic <57736958+dstepanic@users.noreply.github.com> Date: Wed, 24 Apr 2024 13:52:40 -0500 Subject: [PATCH 2/5] Adding description --- .../self-deletion/self-delete-using-alternate-data-streams.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml index 1cfcfa35..9ad68965 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml @@ -48,5 +48,6 @@ rule: - number: 0x10000 = DELETE - and: - instruction: + - description: Uses arithmetic to return FILE_INFORMATION_CLASS (FileRenameInfo) - mnemonic: lea - offset: -0x1D From 10941b11152f3f07694ae3cabea924373f23c51c Mon Sep 17 00:00:00 2001 From: Daniel Stepanic <57736958+dstepanic@users.noreply.github.com> Date: Wed, 24 Apr 2024 14:02:04 -0500 Subject: [PATCH 3/5] Update self-delete-using-alternate-data-streams.yml --- .../self-deletion/self-delete-using-alternate-data-streams.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml index 9ad68965..78b77d54 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml @@ -48,6 +48,6 @@ rule: - number: 0x10000 = DELETE - and: - instruction: - - description: Uses arithmetic to return FILE_INFORMATION_CLASS (FileRenameInfo) + - description: Uses arithmetic to return FILE_INFORMATION_CLASS (FileRenameInfo) - mnemonic: lea - offset: -0x1D From 9151fed3fdcce1606187827d0bae577897a4f958 Mon Sep 17 00:00:00 2001 From: Daniel Stepanic <57736958+dstepanic@users.noreply.github.com> Date: Thu, 25 Apr 2024 08:39:04 -0500 Subject: [PATCH 4/5] Update self-delete-using-alternate-data-streams.yml --- ...lf-delete-using-alternate-data-streams.yml | 43 ++++++------------- 1 file changed, 12 insertions(+), 31 deletions(-) diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml index 78b77d54..546f1995 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml @@ -17,37 +17,18 @@ rule: - c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac:0x1400019C0 - 388021747b85453adff2680c8a0e13e230f4eeada1a1055e3fb8e09800d4fb79:0x180003A24 features: - - or: - - and: - - count(api(kernel32.SetFileInformationByHandle)): 2 - - and: - - basic block: - - and: - - api: kernel32.SetFileInformationByHandle - - number: 4 = FileDispositionInfo - - number: 1 = BufferSize + - and: + - count(api(kernel32.SetFileInformationByHandle)): 2 + - basic block: - and: - - basic block: - - and: - - api: kernel32.SetFileInformationByHandle - - number: 3 = FileRenameInfo + - api: kernel32.SetFileInformationByHandle + - optional: + - number: 3 = FileRenameInfo + - basic block: - and: - - count(api(kernel32.CreateFile)): 2 - - number: 0x10000 = DELETE + - api: kernel32.SetFileInformationByHandle + - number: 4 = FileDispositionInfo + - number: 1 = TRUE // fDelete.DeleteFile = TRUE; - and: - - count(api(kernel32.SetFileInformationByHandle)): 2 - - and: - - instruction: - - mnemonic: lea - - offset: 0x4 = FileDispositionInfo - - and: - - mnemonic: lea - - offset: 0x1 = BufferSize - - and: - - count(api(kernel32.CreateFile)): 2 - - number: 0x10000 = DELETE - - and: - - instruction: - - description: Uses arithmetic to return FILE_INFORMATION_CLASS (FileRenameInfo) - - mnemonic: lea - - offset: -0x1D + - count(api(kernel32.CreateFile)): 2 + - number: 0x10000 = DELETE From e851c561b90237029510110d77819d24017aa338 Mon Sep 17 00:00:00 2001 From: Daniel Stepanic <57736958+dstepanic@users.noreply.github.com> Date: Fri, 26 Apr 2024 13:23:18 -0500 Subject: [PATCH 5/5] Update self-delete-using-alternate-data-streams.yml --- ...lf-delete-using-alternate-data-streams.yml | 29 +++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml index 546f1995..bb11184c 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml @@ -19,16 +19,27 @@ rule: features: - and: - count(api(kernel32.SetFileInformationByHandle)): 2 - - basic block: - - and: - - api: kernel32.SetFileInformationByHandle - - optional: + - or: + - basic block: + - and: + - api: kernel32.SetFileInformationByHandle + - optional: + - number: 3 = FileRenameInfo + - call: + - and: + - api: SetFileInformationByHandle - number: 3 = FileRenameInfo - - basic block: - - and: - - api: kernel32.SetFileInformationByHandle - - number: 4 = FileDispositionInfo - - number: 1 = TRUE // fDelete.DeleteFile = TRUE; + - or: + - basic block: + - and: + - api: kernel32.SetFileInformationByHandle + - number: 4 = FileDispositionInfo + - number: 1 = TRUE // fDelete.DeleteFile = TRUE; + - call: + - and: + - api: SetFileInformationByHandle + - number: 4 = FileDispositionInfo + - number: 1 = TRUE // fDelete.DeleteFile = TRUE; - and: - count(api(kernel32.CreateFile)): 2 - number: 0x10000 = DELETE