From 0a6b8a5701e1074d31db54fc77009fe8cbe7e070 Mon Sep 17 00:00:00 2001 From: Moritz Date: Sat, 22 Jul 2023 12:29:49 +0200 Subject: [PATCH 1/2] Update self-delete.yml --- .../anti-forensic/self-deletion/self-delete.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml index 14cc63f3f..0b0b75f14 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete.yml @@ -4,6 +4,7 @@ rule: namespace: anti-analysis/anti-forensic/self-deletion authors: - michael.hunhoff@mandiant.com + - "@mr-tz" scope: function att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] @@ -16,9 +17,12 @@ rule: - or: - match: get COMSPEC environment variable - string: "cmd.exe" - - match: host-interaction/process/create - - string: /\/c\s*del\s*/ - description: "/c del" + - match: host-interaction/process/create + - or: + - string: /\/c\s*del\s*/ + description: "/c del" + - string: /del\s*\S/ + description: "del \"%s\"" - optional: - string: /\s*>\s*nul\s*/i description: "> nul" From 36d2d14454c4d3240879644ff1a78e979d5f7663 Mon Sep 17 00:00:00 2001 From: Moritz Date: Sat, 22 Jul 2023 12:43:46 +0200 Subject: [PATCH 2/2] Add empty line at EOF --- executable/pe/export/forwarded-export.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/executable/pe/export/forwarded-export.yml b/executable/pe/export/forwarded-export.yml index 1b209efbf..9e7495c94 100644 --- a/executable/pe/export/forwarded-export.yml +++ b/executable/pe/export/forwarded-export.yml @@ -10,4 +10,4 @@ rule: examples: - 76FA734236DAA023444DEC26863401DC features: - - characteristic: forwarded export \ No newline at end of file + - characteristic: forwarded export